Certification in IT Opportunities, expenditures and benefits 07/2021
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Certification in IT
Opportunities, expenditures and benefits
07/2021Content
Executive Summary ................................................................................................................................ 3
Preface ............................................................................................................................................ 4
Introduction .................................................................................................................................... 5
Certification in Detail ...................................................................................................................... 5
3.1 What are certificates and what are the reasons for getting certified? ................................... 5
3.2 Certification in IT Environments .............................................................................................. 7
3.2.1 What types of certifications are available? ......................................................................... 7
3.2.2 Which certifications are required and when? ..................................................................... 7
3.2.3 Expenditures and outsourcing............................................................................................. 7
3.2.4 The advantage of outsourcing ............................................................................................. 8
Conclusion: Expenditures, as well as Benefits ................................................................................ 9
noris network AG .......................................................................................................................... 10
2Executive Summary
Continuity and stability are important objectives for companies, and this is not only true for IT
environments. Certifications of the company itself, as well as certifications from service providers and
partners can provide helpful support here. A primary objective of certifications is to maintain
established standards and continuously improve quality. To control this, audits are conducted on a
regular basis.
Certifications can therefore help companies to meet standards, even when the environment changes
constantly, and so provide consistent or even increasing quality to the customer.
This whitepaper aims to explain what certifications are and show how companies can benefit from
them – despite the expenditures involved. In addition to providing an insight into the different types
of certifications, the whitepaper reveals which certifications are helpful in IT environments and what
the possible advantages of outsourcing could be.
Certifications can not only effect the way a company comes across; they can also play a vital role in
ensuring stable company growth.
noris network AG
3Preface
Where would you tend to expect certification? At a fast food chain or in a three-star restaurant?
Although the three-star restaurant may excel on account of its haute cuisine, and have been honored
with awards, there is a greater chance of the chef making a mistake in this environment if they happen
to have a bad day. This means that although the level of cuisine is enormously high, the high quality
cannot be guaranteed consistently.
However, when it comes to system catering, although you would not usually expect to find premium
products, consistently managed quality is normally provided despite the myriad of meals sold each
day. Certifications can help to ensure this.
This example serves to illustrate how important it is to distinguish between awards and certifications.
Here, the one does not necessarily need to exclude the other, as even the three-star restaurant can be
guided by consistent standards through the use of certification. In addition, the aim here is to show
that it is important to establish standards and have them controlled – particularly for scalable business
models.
When applying this example to companies in IT environments, it becomes clear that certification of
one’s own company, service providers, as well as partners is especially important if the goal is to
benefit from economies of scale.
Business models in the areas of cloud or data center services therefore benefit twice: They are able to
guarantee consistent quality even as customer numbers increase, and at the same time, they can
assume that the acceptance of their customers will grow.
4Introduction
A prerequisite for secure, stable and, above all, scalable IT operations is continuous management
together with suitable control mechanisms. Certifications provide an important basis for this. In this
whitepaper, we describe, among other things, what certification means, and how you can benefit from
it as a company.
Certification in Detail
3.1 What are certificates and what are the reasons for getting certified?
Certification is a procedure that is used to demonstrate compliance with particular requirements. It is
a sub-process of conformity assessment. Certifications are usually valid for a limited period of time,
and are awarded by independent certification bodies.
The areas in which requirements are made that can be certified generally include:
▪ Products and services plus their respective manufacturing processes
▪ Persons
▪ Systems
▪ Companies
Certifications for products include
▪ CE, which demonstrates compliance with requirements to ensure health, safety, and
environmental protection
▪ VDE, which identifies product safety
Certifications for persons are awarded as evidence of knowledge and personal competence. These can
be degrees/qualifications in recognized education and training, for example, as a PMP (Project
Management Professional).
System certifications include management system certifications such as
▪ ISO 9001 for a quality management system, or
▪ ISO 27001 for an information security management system
of the International Organization for Standardization – in short .
The availability of a certificate therefore documents the compliance or conformity with the
requirements listed in standards or requirements catalogs. This makes it easier to compare providers
or candidates, and reduces or avoids the need for a company to carry out its own audits.
Job advertisements often require evidence of expertise and specialist knowledge in the form of
certificates, sometimes also with a particular focus or level of proficiency. This way, at least, the
assumption can be made that the candidate will have the required knowledge and skills.
The same applies to management systems. In providing proof of certification, the operator of a
management system is able to demonstrate that they have understood the requirements and
implemented them appropriately. However, if such a certification is to be part of a business deal or
other type of collaboration, it is advisable to take a closer look at the certificate.
Certificates for the ISO standards include the spatial and content-related scope of application of the
respective management system. Is it clear whether the area required for the collaboration, both in
terms of space or content, is covered by the certificate? Or, put more simply: Does the provider only
have a quality management-certified canteen, although the aim is to obtain complex operational
5services that require appropriate proof? A customer may well insist that respective requirements are
complied with for the entire value chain, and that this must be proven via certificates. This can limit
the choice when it comes to selecting a (sub-)service provider.
Initial certification demonstrates that a requirement has been implemented to an adequate level.
However, for the certification to be maintained, improvements in implementation must be made
continuously. One method for achieving this is referred to as Plan-Do-Check-Act (PDCA), and is shown
in the following graphic:
•Responsibility of top •Implementation and
management operation
•Define policy •Communication
•Appoint within the company
representative •Provision of
•Initial assessment of necessary resources
the situation
PLAN DO
ACT CHECK
•Evaluation by top •Audit
management
•Analysis
•Management review
•Corrective measures
•Derivation of new
•Preventive measures
goals
•Internal audits
63.2 Certification in IT Environments
3.2.1 What types of certifications are available?
A distinction is largely made between person, product, and system certifications. In the certification of
persons, a certain level of knowledge, expertise, or other qualifications are normally demonstrated.
These can be technical qualifications involving operating systems, for example, as well as
methodological knowledge and skills such as those involved in project management.
The “Common Criteria for Information Technology Security Evaluation” (CC for short) is worth
mentioning in relation to IT product environments. This is an international standard for testing and
evaluating the security features of IT products.
System certifications involve the auditing of management systems. A well-known standard here is ISO
9001. This sets out requirements for quality management. However, ISO 27001 (for information
security management) and ISO 20000-1 (for IT service management) are also relevant to IT. These
standards include requirements for management systems that must be implemented by organizations.
An accredited auditor regularly reviews the implementation and further development of the particular
management system.
3.2.2 Which certifications are required and when?
In principle, certification is intended to reduce audit expenditures, as an audit is performed according
to generally accepted requirements or criteria, and the result is made available to interested parties.
Job applicants can benefit from the fact that the qualifications required for the particular position are
known in advance, and their application can therefore be targeted. In addition, the employer can also
assume an expected level of knowledge or skills provided the applicant can prove these by means of
certificates. The same applies to product certifications.
There are plenty of company and process certifications. However, existing requirements always
determine which ones are needed. The certification itself confirms that the respective management
system has been implemented. The requirements for certifications therefore usually originate from
third parties. For example, if a company has implemented a functioning Information Security
Management System (ISMS) according to ISO 27001, it is important to ensure that the company’s
suppliers also implement this as well. The easiest way to prove this is through appropriate certification.
Conversely, however, a company may – for various reasons – want to make an appearance on the
market with new ideas and impress with topics such as environmental management, for example. In
this case, it is a matter of finding the right certification that most closely expresses the added value on
the market in line with the company’s own requirements.
In the world of IT, certifications according to ISO 27001 and ISO 20000-1 have become established as
the de facto minimum standard. IT service providers should therefore also be fully required to comply
with these standards.
3.2.3 Expenditures and outsourcing
In principle, when it comes to certifications, it is important to distinguish between initial and ongoing
expenditures and costs. Each management system needs one or more internal responsible persons
who can ensure that the requirements are implemented, coordinate the external audit by the auditor,
and maintain the certification over the certificate period. Some management systems reference
existing management systems or have the same or similar requirements. Here, corresponding
synergies can be exploited in the organization. Expenditure for implementation and maintenance is
necessary when there are new or differing requirements.
7Certifications, reports, or assessments that are strongly linked to a specific customer, and are not
relevant to other customers in terms of form and content, can be implemented by sharing costs
appropriately with the customer.
3.2.4 The advantage of outsourcing
Service providers regularly check the requirements for certifications of the market as well as
customers. This serves to support customers and helps in acquiring new customers who ask for
certifications as a prerequisite for commissioning and collaboration. In some circumstances,
certifications that have already been obtained may no longer be maintained. The reasons for this are
varied: The certifications may no longer be in demand, may no longer be current or valid, or it does
not make economic sense to update them. Customers should therefore obtain a contractual guarantee
that the certifications that are essential to them will be maintained. However, this assurance may be
evaluated differently, depending on the type of certification, and should be balanced to achieve a cost-
effective outsourcing strategy.
An appropriate certification gives the customer or other interested party neutral confirmation that
requirements from the underlying norms and standards have been adequately implemented. This
eliminates audit expenditures for the customer.
A key benefit of outsourcing audits to a service provider is the possible savings that can be achieved
by sharing costs with multiple interested parties such as customers.
The customer’s internal expenditures for coordinating such an audit are also eliminated; the service
provider schedules the audits and ensures the certification. If necessary, any own requirements that
go beyond those arising from the norms and standards must be checked by the customer or interested
party themselves, or be checked by commissioned auditors.
Outsourcing also allows a company to buy into specialist expertise that does not have to be established
and maintained internally – even if internal expenditures are still incurred.
“It is essential for an innovative
company to be able to provide
evidence of an active management
system. In addition, certifications
reduce audit expenditures for
customers or other interested
Markus Laube parties.”
Business Continuity Officer
noris network AG
8Conclusion: Expenditures, as well as Benefits
In principle, the certifications of a service provider allow compliance with requirements arising from
norms and standards to be ensured and confirmed by a neutral external auditor if the company’s own
requirements conform to those of the underlying standards. Requirements that deviate from or go
beyond the standards may have to be ensured by the company itself or by commissioned auditors.
Before commissioning a certification or respective certification partner, it is therefore essential to
clarify the basic conditions, expenditures, and assurances with them.
If the requirements have been specified clearly in advance, certifications can support the sustainable
success of a company, and ultimately also reduce expenditures.
9noris network AG
noris network AG, based in Nuremberg, Germany, offers customized ICT solutions in the areas of IT
outsourcing, managed services, cloud services, and network and security to companies and
organizations primarily in the banking/insurance, automotive/industry, software development, and
public administration sectors. The company’s technological basis is provided by a high-performance IT
infrastructure with noris network’s own high-security data centers – including Nuremberg South and
Munich East, which are acknowledged to be two of the most modern and energy-efficient data centers
in Europe. In addition to customer-specific solutions and services for classic and virtualized IT
infrastructures, noris network provides PaaS (platform as a service) solutions on its own cloud
platforms, and with OpenShift, it also offers services for the automated scaling of resources
(containers). The company combines further standardized premium data center products under the
datacenter.de brand.
noris network AG and all its business activities are certified for consistent quality and security in service
and information security management in accordance with ISO/IEC 20000-1, ISO/IEC 27001, and ISO
9001. noris network is the first data center operator to be certified according to VdS Guideline 3406 in
the area of “Security Management for Buildings.” In addition, the maximum availability, protection,
and energy efficiency classes of the Munich East data center have also been confirmed in accordance
with EN 50600.
The Nuremberg Center and Nuremberg South data centers as well as the Munich East data center have
received the ISO 27001 certificate on the basis of IT-Grundschutz (IT baseline protection) of the BSI
(Federal Office for Information Security). The IT service provider also possesses other certificates,
including PCI DSS, TISAX, and ISO 14001 Environmental Management. noris network AG, which was
founded in 1993, is one of the German pioneers in the field of modern IT services. Today, the company
provides services to a range of well-known companies including adidas AG, Consorsbank, Flughafen
Nürnberg GmbH (Airport Nürnberg), Max Bögl Group, Küchen Quelle GmbH, Schmetterling Reisen
GmbH & Co. KG, Teambank AG, and many more.
noris network AG
Thomas-Mann-Straße 16 – 20
90471 Nuremberg, Germany
Tel.: (+49-911) 9352-0
www.noris.de
10You can also read
