Confidence on the Cloud – A New Cloud Privacy Standard (ISO 27018)

The Cloud Today

The growing marketplace of cloud computing.

Cloud computing’s growth in use and popularity has been soaring at a great pace! According to Gartner (2013), the marketplace for cloud computing will grow ~20% to USD 131 billion in 2017 from USD 111 billion in 2012.

What’s more?

2016 will be a defining year for cloud as this cutting-edge technology will just get more sophisticated in the next few years.

The Cloud Landscape

Cloud computing started as an in-house infrastructure established by companies such as Microsoft, Google and Amazon to serve their individual business needs. This consists of a set of technologies and service models that focus on Internet-based use and delivery of IT applications, processing capability, storage and memory space.

But now it has evolved into a platform that most part of our daily life is dependent on. While public and private cloud offers one means to differentiate the infrastructure sharing options, SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) have come to define the extent and level of control held by the cloud service provider (CSP) vs. the cloud user.

According to National Institute of Standards and Technology (NIST), the “cloud” is composed of five essential characteristics.

  1. the on-demand self-service which implies that a customer can order service via the web or some other method at any point in time, to become immediately available for his or her use.
  2. the broad network access, in the sense that services are available over the network and are accessed through standard mechanisms (mobile phone, tablet, laptop, etc.).
  3. Other characteristics are the rapid elasticity of the cloud capabilities and the fact that it is a measured service – means additional capacity remains available and accessible on an ‘as needed’ basis and customers are automatically billed for their consumption.
  4. Last but not least, resource pool, meaning the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.

The Confidence for Tomorrow – ISO 27018

The massive courses of data across cloud computing services are becoming ever more complex. Identifying and protecting personal data in those flows is becoming a daunting issue for many cloud service providers and cloud users. Given the substantial data protection risks, cloud computing measures need to be undertaken in order to mitigate their effect to the benefit of the cloud computing industry and its clients.

While there are several laws and regulations around it, a common benchmark or standard was lacking for some time. ISO 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors is the first set of international privacy controls launched.

Following and using the privacy controls foreseen in ISO 27018 offers greater assurance for service providers that they are doing the right thing and doing everything recommended to protect customers’ personal information. This mechanism also offers beneficial effect for both cloud providers and cloud users – if a consumer is buying cloud services, it can help them to identify the requirements for selecting a cloud provider and in defining contractual clauses and for cloud service provider, it can provide them with a unique selling proposition to potential clients because as more clients become familiar of the standard, the more that they will see it in their request proposal.

ISO 27018 has taken into account as a public policy from around the world as it integrates input from many regional regulators. A cloud service provider and it’s conformation to the standard makes the whole job of compliance to particular legislation in one country or region that much easier. The standard provides a common set of guidelines for the whole industry and adds needed protections to improve PII security and defiance in an increasingly cloud-based information environment.

ISO 27018 – Quick Overview

Key Elements of the Standard

ISO 27018 is a standard out forward by Internal Organization for Standardization (ISO) that seeks to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a data processor. In order to fulfill the standard, cloud service providers must understand the following key elements:

  1. Personally Identifiable Information (PII) instead of Personal Data

Scope of “personal data” is not only about the information that “can be used” or “linked” to a PII principal/ data subject, but “any information” relating to an identifiable natural person 

  1. Cloud Providers as Data Processors

In ISO/IEC 27018 the client is regarded as PII controller and the cloud service provider is the PII processor.

  1. Personal Data Protection Principles

The ISO/IEC 27018 contains a comprehensive set of controls regarding:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Asset control
  • Cryptography
  • Physical and environmental security
  • Operations and communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Compliance
  • Information security aspects of business continuity management.

As the PII processor enables the cloud service client to comply with its regulatory obligations (data protection), through this controls, PII processor conforms to its own obligations, either legal or contractual.

  1. Accountability and Certification

Elements of the principle of accountability are incorporated into the standard, in particular the data breach notification, privacy by design, audits and certifications. In general, the standard may be seen as an instrument that assists the PII processor to comply with the principle of accountability requirements. Key to the demonstration of compliance in the context of the principle of accountability is third party certification. The cloud service provider that implements the new standard may ask for a conformity assessment, in order to be certified for complying with the standard.

In order to comply with the standard, participating cloud service providers must provide transparency in the following practices:

  • only process personal data in accordance with the customer’s instructions;
  • only process personal data for marketing or advertising purposes with the customer’s express consent;
  • be transparent around the use of sub-processors (which will include providing the names of, and any possible locations where the data may be processed by, any sub-processors);
  • ensure that staff who have access to personal data enter into confidentiality agreements and receive appropriate staff training;
  • make required disclosures to law enforcement authorities and/or regulators only when legally bound to do so;
  • assist cloud customers to comply when individuals assert their access rights; and
  • help cloud customers comply with their notification obligations in the event of a data breach.

Top 10 Things to Know about Cloud Security and ISO 27018

Way Forward

The current landscape for cloud security standard is best characterized as immature but emerging. ISO 27018 provides a transparent guidance for cloud service providers to establish privacy protection and allows businesses to make careful decisions about the cloud. But even with the present guidelines that ISO 27018 provides, it can also serve as reference point for standards’ future improvement. As the first international standard dedicated for cloud privacy, it initiated CSPs interchange of ideas on providing the best practice on data privacy and security.  ISO 27018 is an important step to protecting PII in the cloud, it emerges from previous ISO guidelines and it will continue to evolve along with cloud service providers’ technology to provide more secure services for the growth and success of businesses.

ECC International is a leading process improvement solutions provider in Southeast Asia, focused on process consulting, automation solutions and learning outsourcing services. We help companies achieve performance excellence by assisting them implement management systems and international standards/best practices across multiple domains and industries.

Our partnerships with nest-in-class technology companies help drive sustained excellence for our customers. As a solutions provider with instructional design capability and subject matter expertise in niche areas, we help organizations implement learning strategies and design learning content for improved performance.

APEX Global (The Academy for Professional Excellence) is the learning solutions arm of ECCI – the leading process improvement solutions provider in Southeast Asia.

Our sole aim is to promote performance excellence among professionals. We help our customers achieve greater success through effective, experiential and result – oriented training delivery.

Empowered with a strong pool of expert trainers and facilitators having expertise in a niche array of domains and a strong regional presence, we provide an extensive portfolio of excellent industry specific and functional programs coupled with high quality training materials to provide best –in – class services for professionals around.

We are a market leader when it comes to Information Security and Risk Management solutions (in the form of training, consulting and GRC solutions- in SE Asia.

To learn more about cloud security, ISO 27018 guidelines and requirements, correlation with existing standards such as ISO 27001 and EU Data Protection Laws, join us at the Confidence on the Cloud- Data Security Best Practices based on ISO 27018 training program.





Taking the next step with the new ITIL® Practitioner Qualification


Axelos, the ITIL course owner has announced the most significant evolution for ITIL – the new ITIL Practitioner qualification.

ITIL Practitioner is being developed in collaboration with Practitioners worldwide to help organizations and individuals increase the value they obtain from using ITIL by offering additional practical guidance to adopt and adapt the framework to support the business. It will be the next step after ITIL Foundation for professionals who have already learned the basics of IT Service Management (ITSM) and the business value of well-designed and delivered services. It will help guide them through the practical side of successfully applying the theory in the workplace.

A specific amount of credit points will be assigned to ITIL Practitioner that will count towards ITIL Expert the same way as Foundation, Intermediate and Managing Across the Lifecycle (MALC) do today.

thinkWhy was this introduced?

The demands organizations are putting on their IT teams and IT service providers have changed significantly in the recent years. In many cases, we have moved from “let’s keep everything as stable as possible” to “let’s be as agile as possible (and make sure we can recover instantly)”. The technological capabilities – such as those enabled by rapidly evolving cloud computing – and associated practices have made it possible to better answer those demands. The detailed ‘how’ of all of this depends, though – what works for a Bay Area start-up might not work for a large multinational enterprise, and the expectations from existing customers of 10+ years differ from those acquired yesterday. For ITSM professionals, there is an ever-growing demand for more practical guidance on how to design fit-for-purpose and fit-for-use services and supporting processes.

That is where ITIL and other philosophies, frameworks and methodologies – such as Lean, DevOps and Agile – need to intersect for the best results. There are no silver bullets – organizations need to wisely choose the best ways to address specific challenges. ITIL helps with this by providing the framework where good practice of the ‘how’ can be plugged into. Additional, practical guidance was needed to bring this to life.

Enter… ITIL Practitioner

Setting what is often (mistakenly!) considered to be the last ITIL lifecycle stage, almost a nice-to-have feature – Continual Service Improvement (CSI) – as the backbone of the new qualification, ITIL Practitioner brings what is one of the most under-used and under-valued parts of ITIL to the real world. It is CSI that helps organizations to focus on the improvements delivering most value and to make sure the services and the practices supporting these can keep up with the needs from the ever-changing organization, and continually improve.

ITIL Practitioner equips ITSM professionals with the tools to identify the improvement needs and priorities in their organization, to successfully start and run the improvement initiatives and to deliver the value expected. The qualification – and the guidance supporting it – brings together various parts of ITIL, adding more detail as required, and combines this with the practical ‘how to’. The good practice from ITSM professionals from around the world is distilled into concepts, models and capabilities, and complemented with tools and methods to place it in the context of a specific organization. This is ITIL Practitioner.

For more information, please check this ITIL Practitioner page.


Maximize the synergies between ITIL and DevOps


This white paper describes the synergies between ITIL® best practices and DevOps (development  and operations) practices. ITIL focuses on the lifecycle of services, from inception to retirement, and provides best-practice guidance ®for IT service management (ITSM). The ITIL service lifecycle includes the development and operation of services. DevOps is a movement, inspired by lean methodology andagile development practices, which aims to achieve seamless workflow for product synchronization  between all possible organizational functions – especially development and operations groups. A DevOps  approach tries to reconcile the different priorities and processes of these groups, all for the purpose of  facilitating greater business agility and delivering more value to the end user. In some organizations, this  work is performed by virtual teams from different groups. ITIL describes rapid application development in the service design book as using agile software development.

Most IT organizations are struggling to remove silos that hamper their ability to work collaboratively.  Failure to collaborate interferes with the effective use of an organization’s capabilities and resources, leading to inflexibility and inefficiency in the delivery and support of services. When that happens, the reputation of IT can suffer. Most companies – also not-for-profit organizations – are entirely dependent  on the internet for their core businesses and the speed to innovation there is staggering. That means the  ability of a business to react to market dynamics is based to a large degree on the agility and flexibility  of their IT department.

Since so many organizations rely on ITIL as the foundation of their service management processes, understanding the synergies between ITIL and DevOps is essential to improving organizational performance and business outcomes. As many recent examples have shown, IT organizations that fail to confront and reconcile the widening gap between their development and operations teams stand to lose their footing in today’s competitive business environment.


To get a complete perspective of the depth of best practices that ITIL addresses, organizations should  understand the key frameworks and standards that apply to ITSM. These include, for example, the following: ITIL, ISO/IEC 20000, ISO/IEC 27001, CMMI®, COBIT®, PRINCE2®, PMBOK®, M_o_R®, eSCM-SP™, eTOM® and Six Sigma™. For best-practice guidance, DevOps processes can turn to ITIL as the foundation architecture, referencing other standards and frameworks as needed to solve particular
business issues.

These proven practices also can be combined with organizational-specific practices for competitive advantages and improvement of the practices themselves. ITIL, because it isa non-proprietary and non-prescriptive approach, helps with the construction of enterprise-specific frameworks. ITIL guidance enables you to modify your own processes and address the DevOps gaps based on IT service management best practices. (See Figure 1.)

ITIL describes the application management process in the service operation publication as having the following activities – requirements, design, build, deploy, operate and optimize (Figure 2). ITIL  is interested in the overall management of applications within the application management function. Alignment between development and operations of the applications needs to be accomplished. Applications development should be involved in all stages of the ITIL service lifecycle at various levels of engagement. The ITIL application management lifecycle does not replace any software development lifecycle but is meant to show collaboration between application management and operation management.

It is important to remember the ITIL service lifecycle stages are dynamic. This dynamic nature can be applied for decision support. For example, although you may be focused on one stage of the lifecycle in your job function, you may have to make decisions related to another stage – such as a developer working with the release and deployment process in service transition having to make service design decisions before building the release.The requirements stage is active during service design stage of the lifecycle. The design stage translates requirements into specifications for the application, environment and operational model. In the build stage the application is coded or acquired; and with the operational  model are made ready for deployment. Build and deploy are a part of the release and deployment process in the service transition stage of the lifecycle. Release includes build and test; deployment includes installation and training for the application. Early life support (ELS) helps with deployment to operation success. When the service or application is in operation value can be realized and the service can be monitored for continual improvement of optimization. The key performance indicators (KPIs) obtained including user satisfaction can direct further development improvements and provide a DevOps practice with factual information for development and operation coordination and collaboration.

DevOps uses agile and lean methodologies to improve or expedite solutions through development to operations stages for value realization. Agile methods depend on interactions and collaboration among people, processes and technology. The specific process areas of configuration management, change management and release and deployment are very important in an agile environment. Just as in ITIL,
the process integrations help foster agility. The success of agile methods (particularly when addressing the DevOps gap), while sometimes measured by the increased volume of deliveries, is best measured by customer satisfaction, given the continual delivery of needed solution and services.

Continual delivery of developed service solutions needs to be in synchronization with the ability of the consumer to absorb the benefit. Services that are delivered too slowly cannot meet the needs of the consumer and services delivered too fast cannot be utilized. Service solutions should also leverage the consumer’s service value chain and be continuously integrated to avoid the necessity for the creation of manual procedures where once automation existed.

A DevOps strategy that facilitates aforementioned continual delivery and continuous integration should leverage technology that has integrated and automated application-release capabilities. This technology  should provide the following major capabilities based on ITIL best practices:

  • a real-time, end-to-end, actionable view with comprehensive visibility of releases as they progress through their individual processes
  • control over environment configurations to eliminate inconsistencies, unauthorized changes and misconfigurations
  • integration of automation and human-oriented workflows 
  • diagnostics and root-cause analysis
  • seamless integration with change management to track changes during a release


This section reviews ITIL architecture and how it applies to DevOps. ITIL consists of five service lifecycle stages, and key processes described in five core publications (see Figures 3,4 and 5):

  • service strategy
  • service design
  • service transition
  • service operation
  • continual service improvement.

Continual service improvement is integral in all other lifecycle phases, each stage of the lifecycle is dynamic and supports the other stages. ITIL focuses on utilizing people, processes, products and partners for the effective, efficient, and economic delivery and support of services. Each publication focuses on particular process areas to support the decisions that must be made within that stage of the service lifecycle. The entire service lifecycle is relevant for DevOps because it focuses on service delivery and defining the overall service relationship between the customer and supplier.


  • Strategy management for IT services
  • Service portfolio management
  • Financial management for IT services
  • Demand management
  • Business relationship management


  • Design coordination
  • Service catalogue management
  • Service level management
  • Availability management
  • Capacity management
  •  IT service continuity management
  • Information security management
  • Supplier management


  • Transition planning and support
  •  Change management
  • Service asset and configuration management
  • Release and deployment management
  • Service validation and testing
  • Change evaluation
  • Knowledge management


  • Event management
  • Incident management
  • Request fulfillment
  • Problem management
  • Access management


  •  Seven-Step Improvement Process


The definition of service management is “a set of specialized organizational capabilities for providing value to customers in the form of services”. Services are supported by service assets which are organizational capabilities and resources. Suppliers and customers have service assets. The relationship between the customer and the supplier is defined how the service asset work in an exchange fashion to  deliver the service. For example, a customer has an asset such as a person that needs to use a supplier  IT infrastructure asset. Figure 6, illustrates that the practice of service management is simply to provide
service assets to customers and to eliminate any constraints in the use of the service for maximum performance to support business outcomes. DevOps, in this case, becomes an enabler for increasing the maturity of the service management practice within a supplier’s organization by removing constraints to service delivery performance and can be thought of as an organizational strategy for this purpose.

The service structures in the value network play a key role in service management and the stages of organizational development. IT service management is actually a value network within an organization and has patterns of collaborative exchanges. This exchange of information in an agile, collaborative manner between development and operations is in line with the spirit of DevOps.

The stages of organizational development are: network, direction, delegation, coordination and collaboration – and they are related to a management style. Network organizations, for example, often have no specific structure, specific governance or defined processes. Collaborative groups, at the other end of the spectrum, have service governance and many defined processes and are highly skilled in teamwork. DevOps functions best in a collaborative structure because of the increased responsiveness to changing customer needs.

All the stages of the ITIL service lifecycle must support the service strategy. Activities, resources and capabilities needed for DevOps must support the overall business strategy. For example, if you develop any application, a DevOps approach supports service performance and the way you go to market with the services that you deliver. This helps the organization run the business better by becoming more efficient and effective with usage of service resources focused on providing value to the end consumer.

This can also help the organization grow their business in the markets that they serve or new markets because of the cost savings from the efficiencies gained which can be reinvested into new services. The key DevOps concept that supports this is the improvement in the relationship between development and operations.1


ITIL positions the application management development function within operations as a function that works across the service lifecycle, collaborating with other functions throughout the process – which is very much in the spirit of DevOps. For example, in service design, this collaboration involves helping with build-or-buy decisions. If the decision is to build the solution, the service assets (including people) must work collaboratively as members of the service design team to coordinate efforts and produce a
service design plan (SDP) or service requirements plan. The SDP describes application-related outcomes and the business relevance as well as the underpinning activities and capabilities needed.

The SDP can become a critical document for decision support with DevOps activities because it basically describes the scope of the developed application. Not setting user application capability expectations can result in incidents related to non-features of the application resulting in reactive development efforts with little or no supplier value. These requests should be treated as requests to inspire strategic thinking on the overall value of request to customer and supplier, appropriate cost model for financial recovery, development strategy and many other concerns for overall value creation and realization. DevOps practices enforce working in a service oriented fashion instead of a misguided reactive siloed fashion, ITIL as a foundation can help with this focus.


Service transition enables a key capability needed within a DevOps environment: collaboration. The primary purpose of service transition is risk management and knowledge management. The specific process areas that enable service transition are transition planning and support, change management, knowledge management, asset and configuration management, change evaluation, service validation and testing. Service transition supports the service strategy organizational structure and development  phases. Also crucial to service transition is building the appropriate service to support business outcomes. Development should ensure that any application updates delivered will provide value to the  business customer and the service provider. (See the ITIL publications for more information about value creation and value realization.)

Application management works with the service transition release and deployment process areas to build, test and implement the new service and to be available for early life support (ELS), helping IT achieve expectations and reduce incidents related to the service. The overall planning and coordination  of services is accomplished through transition planning and support, configuration, change, release and
deployment management.

Service transition can be reactive or proactive. Reactive service transition can implement a change to prevent an immediate risk. Proactive service transition focuses more on trends and future business needs. Both are relevant in a DevOps environment. Understanding the relationship of service transition policies and processes to reactive and proactive behavior can enhance service agility and DevOps. Being proactive is helpful but usually not enough, since proactive behavior can still impact quality of service,  the service experience and service relationship. Sometimes IT organizations adopt a DevOps approach because they need to improve overall customer satisfaction. IT must also ensure that the organization is service focused to mitigate service risk. The next step in maturity for an organization that adopts a DevOps approach and ITIL is to focus on service alignment.

In the service transition stage, application management and operations management meet. Service transition best practices help enable agility and, therefore, help enable DevOps as a practice. The practice of DevOps supports the organizations overall practice of ITSM. Organizational maturity, especially as it relates to people roles and responsibilities in service transition is the organizational challenge that must be met for DevOps to become a reality for improved value.


A key principle in ITIL service operations is managing stability versus responsiveness. Operations want stability; development wants to be responsive to customer needs. Business and IT requirements are constantly changing, requiring agility in producing application functionality while at the same time  maintaining IT stability for application performance. ITIL’s service lifecycle approach helps organizations agree to desired changes, take advantage of the existing infrastructure and understand what it takes to
deliver the changes for value realization in operations.

Service operation process areas can provide valuable input into DevOps. When events, incidents, problems, requests and system access tickets are created, as well as the key performance indicators created, these processes can give direction to further continuous service improvement for DevOps. Integration of service operation and DevOps can help improve overall customer satisfaction and service usability. Service automation of these ITIL process areas coordinated with DevOps, especially event and incident management, will help improve overall service delivery performance.

IT organizations sometimes need to transform their services and applications quickly to meet customers’ needs or risk becoming optional and having more services outsourced. Adopting a DevOps approach and ITIL service operation best practices helps organizations be more responsive to business needs without affecting operational stability. While at the same time support the organizational service strategy.


Every approach can always be improved to increase overall performance and business value. DevOps methodology is intended, among other things, to apply the principles of continuous delivery and continuous integration to improve the performance of application development efforts. ITIL’s seven-step improvement process (Figure 7) can help facilitate this improvement. This process, and its relationship to DevOps, are described as follows:

  • Identify the strategy for improvement.
    • A DevOps approach should support a business outcome.
    • Strategy as well as tactical and operations goals need to be understood.
  • Define what you will measure.
    • Conduct a gap analysis for achieving DevOps integration with ITSM.
    • An example key measurement in DevOps could be the following: customer satisfaction and end-user performance as related to number, quality and frequency of releases.
    • Critical success factors (CSF) and key performance indicators (KPI) must be defined for DevOps.
  • Gather the data.
    • DevOps should focus on gathering data from service transition and service operation.
  • Process the data.
    • DevOps CSF and KPI data are processed and turned into information.
  • Analyze the data
    • Understand trends.
    • Transform information into knowledge for decision support to realize improvement
    • Understand user and supplier perspectives.
  • Present and use the data.
    • Understand the business improvements of implementing a DevOps approach
    • Create plan for improvement.
  • Implement improvements.
    • Implement lean and agile improvements.
    • Improve and correct the DevOps approach.

As an organization matures, its focus should be on business outcomes which are defined in the seven-step process. Adopting ITIL best practices will help organizations that are utilizing a DevOps approach become more service aligned with application releases.

The ultimate goal for application development is to take a business service management (BSM) approach. BSM simplifies and automates IT processes and prioritizes and orchestrates work according to business needs. Adopting a DevOps way of thinking helps achieve higher levels of BSM and provides greater service value.

ITIL’s balanced approach to focusing on people, processes, partners and products for efficiency and service effectiveness will help an organization create a holistic approach to DevOps. The people in the IT organization might need to change the way DevOps is adopted and provide improved maturity to the DevOps strategy. Process relationships between development and operations might need to be improved.  Partners should be considered in the overall value network. Products should support processes with improved capabilities for automation of the synergies between development and operations.

ITIL provides architecture for ITSM and includes guidance for organizational functions and roles, processes and activities within processes. ITIL also includes suggestions for technology capabilities that support processes and organizational roles. DevOps should leverage these ITIL capabilities for organizational coordination, collaboration and decision support.


Service handovers should be collaborative and more iterative in order to quickly respond to customers. IT’s efforts should be continual to support the end user’s consumption of IT in the manner that meets the end user’s expectations and provides the greatest value to the business. An environment lacking collaboration has few or no formal processes (as discussed earlier in “Service strategy” and illustrated in
(Figure 8). Collaboration between development and operations must exist for this to work (see Figure 9).

In most organizations, the development and operations handoff is defined in some way, but support for an ongoing, agile, two-way relationship is not defined. Failure to improve these processes can result in  incidents and problems with deployments because of product changes. The concept of early life support,  as defined by ITIL, helps bridge the capability gap between the supporting relationships of development  and operations to achieve consumer value realization. Agile methods define an ongoing collaborative relationship at the earlier stage of the handover for a quick fix or turnaround of a consumer service for value or, in ITIL terms, for overall service utility. DevOps with ITIL best practices supports agile development and consumer value.


Both ITIL and a DevOps approach are intended to support the delivery of quality services to consumers. A DevOps approach should not be implemented without reference to ITIL best practices and maturity improvements should be coordinated and collaborative to realize value. Organizations need to understand that services are defined relationships between the customer and the supplier of the service. A mature DevOps and ITIL approach helps improve the relationship between IT and its customers. Each discipline working together helps with continual service improvement and organizational performance.

DevOps and infrastructure as code (IaC) can be supported with the asset and configuration management process in the service transition lifecycle phase. Tools such as the configuration management database (CMDB), which maps the IT infrastructure, can help influence and support DevOps application designs. The infrastructure architecture knowledge can help with DevOps decisions related to designing and implementing the most efficient, agile and effective DevOps-style release processes. This knowledge can
support infrastructure as a service (IaaS) cloud development and deployment of DevOps capabilities as a service (SaaS) solution.

Service design processes should be coordinated with DevOps-oriented release management processes. This effort includes design coordination, change management, release and deployment and service  validation and testing (SVT). It also includes service design and transition policies, such as the creation of service design packages (SDP) and early life support (ELS). This coordination and collaboration during service transition helps ensure value realization and an enhanced user experience and engagement for
developed products or services.

Service operation processes help ensure overall support for developed solutions. Since ITIL is dynamic in its relationship with other service lifecycle stages, feedback to service transition will occur — including feedback to DevOps for continual service improvement.


ITIL and other best practices can help you increase the value of your DevOps initiatives and avoid DevOps becoming siloed within your organization. Lean methodology, foundation to DevOps and agile  development, says that increasing the delivery volume of application updates to your users is not  enough. Users don’t want just a lot of updates; they want updates that are responsive to their needs and  increase the value of the production application or service. Application updates should enhance the user experience, increase service utility and add value to the service provider. Organizations are adopting  DevOps to improve the delivery and the delivered value of application solutions to the end consumer  while lowering the organizational stresses involved in that delivery or a reduction in the IT friction.

ITIL establishes the best practices for IT service management that have been adopted by organizations all over the world to help improve performance focused on needed service outcomes. The combination  of the two disciplines will help you improve your service relationships and service outcomes as well as  help you provide agile service delivery.

For more information about ITIL, visit For more information about  DevOps, visit


About the Author

Anthony Orr is director in the Office of the CTO and a member of the Thought Leadership Council at BMC Software. Anthony has worked for BMC for more than 15 years in various managerial, consulting, marketing and technical positions. He is an author of the ITIL v3 2011 publication update, ITIL MALC exam book and a senior examiner with responsibilities for the ITIL v3 certification examinations. Anthony is currently a board member of itSMF Houston Local Interest Group (LIG). He participates regularly as a speaker and expert panel member for itSMF events globally. Anthony has more than 30  years of IT experience and has held various roles in other companies prior to joining BMC including roles in development and operations. In his roles, he has been responsible for strategy, architecture, implementation and management of numerous service management disciplines and processes. Anthony is a frequent speaker on best practices at industry events and BMC customer forums. He has authored numerous white papers, pamphlets, podcasts, videos and blog posts on service management topics.

About BMC

BMC helps leading companies around the world put technology at the forefront of meaningful business change, improving the delivery and consumption of digital services. From mainframe to cloud to mobile,  BMC delivers innovative IT management solutions that have enabled more than 20,000 customers  to leverage complex technology into extraordinary business performance—increasing their agility and  exceeding their expectations.

Today, flawless interconnected digital experiences will define business relevancy and success. BMC is  committed to helping companies explore and profit from the New IT, a vanguard operating model that responds to complex business and customer needs with digital transformation, combining traditional technology with groundbreaking capabilities.


AXELOS are a joint venture company, created by the Cabinet Office on behalf of Her Majesty’s Government in the United Kingdom and Capita plc to run the global best practice portfolio, including the ITIL and PRINCE2® professional standards.

The goals of AXELOS are many and varied, each one aimed at helping businesses and individuals reachsuccess, empowering them to truly stand out in a competitive market.

  • We continually promote and advocate quality training.
  • We strive to encourage growth, development and progress.
  • We always look for innovative new solutions to improve best practice standards and processes across the board.

The result is improved skills that are relevant to the industry as a whole, and enhanced employability for all, benefiting the global economy. The benefit to you and your business in particular: better trained employees, streamlined operations, and the peace of mind of knowing that you are working with an industry-leading organization, which provides products and services with a long-standing reputation for setting the industry benchmark.


Our White Paper series should not be taken as constituting advice of any sort and no liability is accepted for any loss resulting from use of or reliance on its content. While every effort is made to ensure the accuracy and reliability of the information, AXELOS cannot accept responsibility for errors, omissions or inaccuracies. Content, diagrams, logos, and jackets are correct at time of going to press but may be subject to change without notice.



Orr, A. (2014, August 14). Maximize the synergies between ITIL® and DevOps. Retrieved November 3, 2014, from


Servicing ICT – Merging Security and Service Management

A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.

A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.

 Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.

An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.

In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.

To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.

 Best practice guidelines

The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.

There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.

One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:

What level of customer service does the service level agreement guarantee?

What does the service provider need to do to deliver this level of service?

What does the service provider need to do to withstand an online denial-of- service attack?

What if the service provider experiences a malware attack on its systems?

Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?

ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The “ other ” business options

Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.

This article was originally published in ISO Focus  by Edward Humphreys.


IT and Millennials – Pros and Cons

With their desire for quick answers, use of personal smartphones in the office, and yen to solve problems on their own, millennial workers are a boon to the IT departments that serve them. Pro or con?


The Millennial generation—those born in the 1980s and later—were raised in a world where answers were available with just a few thumb clicks. Now those Millennials are bringing similar expectations into the workplace, wanting near-instant responses and resolutions to tech issues. While this may seem daunting, IT should view it as an opportunity to rethink the traditional support model and build more efficient and effective support centers for everyone.

Millennials are in the forefront of the mobile trend, but they’re not the only employees bringing in their own mobile devices and working outside the office. By adopting multi-platform support tools that allow IT to remotely manage and fix nearly any type of device, no matter where it is, IT departments can better prepare themselves to support all the smartphones and tablets flooding the market.


Millennial employees have a different way of operating, which often creates friction with current IT policies. Although they don’t intentionally circumvent or reject IT policies, their habits often work against the way IT needs to operate to keep the business productive and the company’s data and systems secure.

While their self-sufficient nature is commendable, the Millennials’ tendency to turn to outside sources to solve tech problems leaves IT in the dark about individual issues, making it nearly impossible to identify systemic problems. Essentially, if IT doesn’t know the symptoms, it encounters difficulty diagnosing the disease. This leads to slower discovery and resolution of major problems, which could cause employees more problems and ultimately extend the time to final resolution.

By engineering self-help centers to behave more like the search engines, social networks, and forums to which Millennials gravitate, IT can increase self-help and reduce calls to the support department. IT should also leverage screen-sharing technology that allows end users to watch IT professionals fix their computers or mobile devices and thereby learn how to do so themselves.

While there are always opportunities for IT to improve operations, in some cases Millennials will have to reset their expectations. IT can help do this by providing better explanations and training around IT policies, from videos for new employees to monthly tips via e-mail. If each group respects the other’s needs and learns to bend a bit, IT and Millennials can bridge the divide.

View the full article at


APEX Global launches its 2012 Public Training Calendar

Expect more REAL learning experiences from APEX Global with its roster of training offerings for 2012. With its aim to promote performance excellence among professionals, APEX Global further expands it course offerings adding fourteen new programs in partnership with various accreditation and learning organizations.

APEX Global is the first in the Philippines to offer Certified SOA Architect where IT professionals can learn the fundamentals of SOA and gain a solid understanding of the service-orientation design, eventually leading to being a Certified SOA Architect.

Certified Scrum Master, accredited by the Scrum Alliance is also one of the latest training for IT and Business Process Excellence. Scrum is the leading agile development methodology, used by Fortune 500 companies around the world. It was originally was formalized for software development projects, but works well for any complex, innovative scope of work.

Furthermore, Software Quality Management Professional (SQM), Software Testing Professional – QTP and Load Runner, and the Fagan Inspection Method are also among the new programs being offered for software testing and quality excellence.

Under its BEX Behavioral Excellence umbrella, human resources practitioners will greatly benefit from the Professional in Human Resources (PHR) and Senior Professional in Human Resources (SPHR).

And with the increasing awareness and promotion of corporate social responsibility, APEX Global introduces Carbon Footprint and Reaping Returns: Measure Success of CSR & Sustainability Initiatives. Very soon, a graduate certificate program on sustainable business will be launched in partnership with one of the leading universities in Australia.

For more information and complete listing of classes and schedule, please contact APEX Global at +6324038668 or send an email to