S<sup>3</sup>MS a simple service & security management system

Abstract

Planning and implementing IT Service Management (ITSM) and Information Security Management according to the International Standards ISO/IEC 20000-1 and ISO/IEC 27001, following good practice approaches like ITIL, and considering IT governance controls as described in COBIT, is challenging in multiple ways. One of the most obvious difficulties in practice is to produce and maintain the required documentation in a way that it effectively supports the delivery of IT services and the implementation of security controls, by at the same time avoiding an amount of bureaucratic overhead that jeopardizes the efficiency of the management system in the end. The “S3MS” approach presented here is a practical approach of implementing ITSM and ISM in a consolidated and integrated way. It is driven by the methodology and requirements provided by the above mentioned standards and frameworks, but it complements them by offering a wide set of templates and samples that can be re-used, instantiated and/or refined to generate what is needed to deploy an effective documented service and security management system. Therefore, the S3MS framework is divided into a service module, a security module and a general management system module - all of which are fully aligned to each other. S3MS is the outcome from merging scientific/academic work with practical experiences and lessons learned in various ITSM- and ISM-related projects in industry and in the public service sector.