Branimir Valentic
November 1, 2016
Implementation, maintenance, training, and knowledge products for Information Security Management Systems (ISMS) according to the ISO 27001 standard.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
All required policies, procedures, and forms to implement an ISMS according to ISO 27001.
Train your key people about ISO 27001 requirements and provide cybersecurity awareness training to all of your employees.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance and training products for critical infrastructure organizations for the European Union’s Network and Information Systems cybersecurity directive.
All required policies, procedures, and forms to comply with the NIS 2 cybersecurity directive.
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Compliance and training products for personal data protection according to the European Union’s General Data Protection Regulation.
All required policies, procedures, and forms to comply with the EU GDPR privacy regulation.
Accredited courses for individuals and privacy professionals who want the highest-quality training and certification.
Implementation, training, and knowledge products for Quality Management Systems (QMS) according to the ISO 9001 standard.
All required policies, procedures, and forms to implement a QMS according to ISO 9001.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for Environmental Management Systems (EMS) according to the ISO 14001 standard.
All required policies, procedures, and forms to implement an EMS according to ISO 14001.
Accredited courses for individuals and environmental professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 14001 and the EMS using Advisera’s proprietary AI-powered knowledge base.
Implementation and training products for Occupational Health & Safety Management Systems (OHSMS) according to the ISO 45001 standard.
All required policies, procedures, and forms to implement an OHSMS according to ISO 45001.
Accredited courses for individuals and health & safety professionals who want the highest-quality training and certification.
Implementation and training products for medical device Quality Management Systems (QMS) according to the ISO 13485 standard.
All required policies, procedures, and forms to implement a medical device QMS according to ISO 13485.
Accredited courses for individuals and medical device professionals who want the highest-quality training and certification.
Compliance products for the European Union’s Medical Device Regulation.
All required policies, procedures, and forms to comply with the EU MDR.
Implementation products for Information Technology Service Management Systems (ITSMS) according to the ISO 20000 standard.
All required policies, procedures, and forms to implement an ITSMS according to ISO 20000.
Implementation products for Business Continuity Management Systems (BCMS) according to the ISO 22301 standard.
All required policies, procedures, and forms to implement a BCMS according to ISO 22301.
Implementation products for testing and calibration laboratories according to the ISO 17025 standard.
All required policies, procedures, and forms to implement ISO 17025 in a laboratory.
Implementation products for automotive Quality Management Systems (QMS) according to the IATF 16949 standard.
All required policies, procedures, and forms to implement an automotive QMS according to IATF 16949.
Implementation products for aerospace Quality Management Systems (QMS) according to the AS9100 standard.
All required policies, procedures, and forms to implement an aerospace QMS according to AS9100.
Implementation, maintenance, training, and knowledge products for consultancies.
Handle multiple ISO 27001 projects by automating repetitive tasks during ISMS implementation.
All required policies, procedures, and forms to implement various standards and regulations for your clients.
Organize company-wide cybersecurity awareness program for your client’s employees and support a successful cybersecurity program.
Accredited ISO 27001, 9001, 14001, 45001, and 13485 courses for professionals who want the highest-quality training and recognized certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Find new clients, potential partners, and collaborators and meet a community of like-minded professionals locally and globally.
Implementation, maintenance, training, and knowledge products for the IT industry.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Compliance, training, and knowledge products for essential and important organizations.
Documentation to comply with NIS 2 (cybersecurity), GDPR (privacy), ISO 27001 (cybersecurity), and ISO 22301 (business continuity).
Company-wide training program for employees and senior management to comply with Article 20 of the NIS 2 cybersecurity directive.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for manufacturing companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for transportation & distribution companies.
Documentation to comply with ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for schools, universities, and other educational organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for telecoms.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), ISO 20000 (IT service management), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, maintenance, training, and knowledge products for banks, insurance companies, and other financial organizations.
Automate your ISMS implementation and maintenance with the Risk Register, Statement of Applicability, and wizards for all required documents.
Documentation to comply with ISO 27001 (cybersecurity), ISO 22301 (business continuity), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and security professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 and the ISMS using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for local, regional, and national government entities.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), GDPR (privacy), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS) and ISO 9001 (QMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for hospitals and other health organizations.
Documentation to comply with ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the medical device industry.
Documentation to comply with MDR and ISO 13485 (medical device), ISO 27001 (cybersecurity), ISO 9001 (quality), ISO 14001 (environmental), ISO 45001 (health & safety), NIS 2 (critical infrastructure cybersecurity) and GDPR (privacy).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 27001 (ISMS), ISO 9001 (QMS), and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the aerospace industry.
Documentation to comply with AS9100 (aerospace), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for the automotive industry.
Documentation to comply with IATF 16949 (automotive), ISO 9001 (quality), ISO 14001 (environmental), and ISO 45001 (health & safety), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 (QMS) and ISO 14001 (EMS) using Advisera’s proprietary AI-powered knowledge base.
Implementation, training, and knowledge products for laboratories.
Documentation to comply with ISO 17025 (testing and calibration laboratories), ISO 9001 (quality), and NIS 2 (critical infrastructure cybersecurity).
Company-wide cybersecurity awareness program for all employees, to decrease incidents and support a successful cybersecurity program.
Accredited courses for individuals and quality professionals who want the highest-quality training and certification.
Get instant answers to any questions related to ISO 9001 and the QMS using Advisera’s proprietary AI-powered knowledge base.
From the questions that I get, I have a feeling that many of you see Service Asset and Configuration Management (SACM) as complicated. I have to tell you that you are not alone. I do ITIL / ISO 20000 trainings and consulting projects, and I have to admit that many people share that thought. We can argue whether that’s justifiable or not, but the fact is that it is so.
The SACM process affects almost everyone in the company and has interfaces to almost all other IT Service Management (ITSM) processes and functions. Even more, the SACM process goes beyond IT and ITSM. The SACM process has a strong interface to corporate finance and assets employees use, like PCs, printers, servers, network devices, etc. ISO 20000 sets direct requirements for such interfaces.
Both ITIL and ISO 20000 emphasize the importance of this process. There is a slight difference in the vocabulary, i.e., naming. ITIL uses “Service Asset and Configuration Management process,” whereas ISO 20000 uses “Configuration Management process.” The requirements of both of them are pretty similar. Therefore, the person responsible for the process can have the same job description.
But, how about the importance of the process and its result? To avoid theoretical explanations, just ask people involved in, e.g., Incident Management (e.g., incident diagnosis) or, even better, Change Management (e.g., change evaluation/assessment, planning, etc.). Those processes are, basically, inefficient without SACM in place. But, those are not the only ones; actually, these were just a few of them. SACM is important for Release and Deployment Management, Problem Management, Capacity Management, Availability Management, Knowledge Management… etc.
In addition to process-specific activities (I’ll explain them soon), the Service Asset and Configuration Manager has generic process manager responsibilities, which usually include:
Planning, identification, and control are three main activities to set up the SACM process. Read my previous article Three main activities to set up ITIL Service Asset and Configuration Management to get more details about these activities. Based on these three main groups of activities, the Service Asset and Configuration Manager role will have the following responsibilities:
Planning – The Service Asset and Configuration Manager is responsible for ensuring that the SACM Plan (read the article How to use ITIL to prepare the Service Asset & Configuration Management Plan to learn more about the plan) is created. This will include definition of scope (e.g., whole company), definition of Configuration Items (CIs – service assets that need to be managed to deliver the service), creation of interfaces to other processes, and planning related to the tools that will support the SACM process activities (e.g., requirements definition, vendor selection, integration with other tools, preparation for the implementation, setup of the tool, etc.).
Identification – The Service Asset and Configuration Manager is responsible for ensuring that all CIs are identified as documented in the plan. This task can be difficult when it is performed for the first time. But, once it’s done – it’s important that every new CI follows the same identification nomenclature as defined in the SACM Plan. The Service Asset and Configuration Manager needs to control the identification process (e.g., audit performed occasionally).
Control – This is where the Service Asset and Configuration Manager’s organizational and managerial skills are tested. Therefore, policies and detailed procedures (again, the Service Asset and Configuration Manager has to make sure they exist) needs to be in place in order to ensure that everyone knows what to do and what is allowed (i.e., no change, addition, or deletion of a CI is possible without approval.). Some kind of tool, used by SACM personnel, is crucial here. Usually, this tool covers more than the SACM process, but it’s the Service Asset and Configuration Manager who is responsible for making sure that SACM is properly implemented in such tool.
Once you have the SACM process in place and services are running in the live environment, it’s important that the SACM process manages and keeps control over all the CIs that were defined in the scope (set in the SACM Plan). But, this is not as static as it seems. Quite the contrary – SACM is involved in almost all daily activities related to the service. Therefore, the Service Asset and Configuration Manager has responsibility for two sets of activities:
Status Accounting and Reporting – This is where the Service Asset and Configuration Manager needs to ensure that the listed status of the CI is always its actual status. For example, the status of the CI can be “In test,” “Approved,” “Installed,” “Withdrawn,” “Under Maintenance”… etc. For this purpose, the Service Asset and Configuration Manager has to clearly define responsibilities among the people involved in the SACM process, as well as their relation to other processes (e.g., Release and Deployment Management). Reporting can be seen as a controlling mechanism, i.e., a tool for the Service Asset and Configuration Manager to be sure that everything is as expected.
Verification and Audit – The Service Asset and Configuration Manager performs regular audits of the CMS (Configuration Management System) and verifies that all CIs match the physical infrastructure. If there are discrepancies, the Service Asset and Configuration Manager will need to investigate why they occur and how to prevent such situations in the future.
So, it’s obvious that the SACM process is needed, as well as someone to manage it, i.e., the Service Asset and Configuration Manager. Since you need to have one, it’s logical to make the best of it. How can you do that? Well, that’s another story. There are many parameters that influence this answer, but consider:
And, it’s not only about the SACM process. The Service Asset and Configuration Manager has much broader reach in ITIL, as well as ISO 20000. Therefore, the right person provides you with an excellent foundation in many other processes. It’s better not to miss that opportunity.
Use this free ITIL/ISO 20000 Gap Analysis tools to check your Service Asset and Configuration Management process compliance with ITIL/ISO 20000.
You may unsubscribe at any time. For more information please see our privacy notice.