Goal: Maximize service returns and minimize risks. Measurement: Establish measurement methods regarding service risks and benefits (in conjunction with 9.1 Monitoring, measurement, analysis and evaluation of SMS and services); Selection: service selection and priority method, that is, facing the market and customers, which services to choose and how to set the priority of services, corresponding to service planning 8.2.2; Asset allocation: clarify which assets are used to support services, what is the relationship between assets, etc. Asset investment is the component of service costs and should be optimized to maximize returns and minimize risks, corresponding to asset management 8.2.5 and allocation management 8.2.6 ; Evolution: The complete process of a service through proposal, development, operation and offline. Services in operation are usually represented by service catalogs, especially the "service catalog" determined by signing a contract with a specific customer, corresponding to service planning 8.2.2, service Directory Management 8.2.4: Management and control: Manage and control relevant parties in the life cycle to control costs and reduce risks, corresponding to 8.2.3; Underpinning: Financial management is a key input to service portfolio management, and by understanding the cost structure adopted in service delivery, companies may be able to determine cost baselines. Accurate cost calculation requires understanding of financial information, service demand information, organization's service capability information, etc., corresponding to 8.4.1.

1. Regularly determine and record services and their requirements (including laws, regulations, contracts and other requirements of relevant parties) in different progress states as a basis for organizational planning services (as part of service portfolio management). The services planned by the organization can be market-oriented services that are not targeted at specific customers, or they can be services targeted at specific customers. 2. Existing services are presented through the service catalog. New services need to go through suggestions, development and other processes to become operable and deliverable services. Service changes are controlled through the change management of the existing or established SMS. 3. The determination of service importance is related to the following factors: the organization’s benefits and costs; customer payment, business importance and benefits supported by the service, and time urgency; user experience (such as availability, etc.); compliance with the supervision of other relevant parties. compliance, supplier benefits and costs, etc. Service importance can be tailored to specific customers or built around the organization itself. Regardless of the importance, an evaluation model needs to be established for analysis and evaluation. 4. The following factors should be considered when setting priorities: business needs that generate change requests and new services or change service proposals; service management goals; investment, benefits, and risks in implementing change requests and service proposals; available resources; known constraints.

1. Evaluation criteria: The impact of other parties on the service should be considered. The decisive factors of the impact include the responsibilities of other parties in the service life cycle, frequency of participation, costs/expenses paid by the organization, and their role in service benefits and risks. An assessment model should be built based on these factors. 2. Selection criteria: The priority of selecting other parties should be determined based on the size of their impact. What the organization should determine and record is to establish a list of its three deliverables (i.e. services, service components, service processes) for each other party on the basis of identifying other parties and their responsibilities, and compare them with the organization Responsibilities are integrated to meet customer needs and achieve service management objectives. The goal is to improve service efficiency and reduce costs and risks. The integrated methods and results should be achieved through configuration management.

1. The measurement and evaluation of the effectiveness of services and service components should focus on the following points: The effectiveness indicators of services meeting needs include the degree of satisfaction of customer business value. The role of services on these indicators should be determined based on customer business operation performance indicators. , and then convert it into effectiveness indicators in terms of service availability, information security, service continuity, etc. Service availability is closely related to capacity, service performance, etc.; service component effectiveness indicators (such as availability, information security, etc.) are service effectiveness The basis for measurement is to establish the corresponding relationship between service effectiveness indicators and service component effectiveness indicators. The corresponding relationship can be established by using the component path through which the service is completed. 2. The relationship between customer business, services, and service components can be realized through the configuration management system, and measurement and evaluation models can be established accordingly.

1. The services in the service catalog include business services and technical services. Business services consist of the computing capabilities directly required by the customer's business system, while technical services consist of the technical activities provided by the organization to the customer's business system. 2. Common technical services take the type of information assets as the first dimension, such as servers, network equipment, computer room air conditioners, etc.; then add the dimension of technical activities to form technical services, such as server installation and deployment services, server inspection services, etc.; Technology The activities are as follows: Installation and deployment include initial installation and deployment, upgrade and patching, transformation, configuration and testing, asset identification and monitoring, daily inspection and inspection, troubleshooting, migration, backup and recovery, audit and evaluation, abandonment (uninstallation, Disconnect, clear, store, destroy), etc.; 3. In the event of service transfer, service offline, new services, etc., the organization should update and maintain the service catalog in a timely manner.

1. Assets refer to the assets used to provide services, which may include assets of the organization, customers, suppliers and other parties, as long as these assets are indispensable for the delivery of services. 2. Classification of information assets: physical assets, such as computer hardware, communication facilities, physical support facilities; information/data, such as documents and databases; software, such as application software, system software, development tools and programs, etc.; producing products or The ability to provide services; people; intangible assets, such as willingness, reputation, etc. 3. Assets should be managed throughout the life cycle. An organization can only conduct complete life cycle management of its own assets. For other parties’ assets, the organization can make requests and suggestions, and the responsibilities and management work belong to other parties. 4. The organization should form an asset ledger and maintain the ledger regularly. Asset ledger attributes usually include asset major category, medium category, small category, name, code, status, responsible person, location, supplier, etc. The organization should add attributes according to the actual situation. For example, in Information Security 8.7.3, assets should Add safe assignment attribute.

1. Based on the service process, CI types such as customers/users, service organizations, service catalogs and SLAs and related documents, services, IT systems and assets can be defined. 2.CI attributes generally include: 2.1 Identification type: configuration item name; configuration item identification/label (such as automatically identifiable barcode); configuration item number; version number/model/license number/copy number; 2.2 Definition class: configuration item classification; configuration item definition; configuration item description; 2.3 Relationship class: The relationship between configuration items: parent-child relationship, composition relationship, integration relationship, association relationship, etc.; the corresponding relationship between configuration items and IT components; installation environment; supplier; 2.4 Management category: status; location; responsible department/responsible person (configuration item owner, maintenance manager or custodian, etc.); configuration administrator/approval authority (the organization that approves the configuration item); approval date (the configuration item is organized date of approval); access rights; cost; date of provision; maintenance service period; 2.5 Utility category: availability index; capacity index; security index; continuity index; 2.6 Component class: Without further refinement of the composition, the composition of IT components (including specific attributes) can be used as configuration item attributes, such as CPU utilization; 3. CI status includes: configuration items that have been approved but have not yet been launched (referring to deployment in the production environment) (not yet imported into the configuration library). Their status includes: under development/procurement, tested, and accepted; The status of online configuration items (in the configuration library) includes: in use, deactivated, under maintenance (pending changes, etc.); The status of offline and removed configuration items includes: deleted/removed; lease expired (cloud service); damaged. 4. CI should be controlled. The intention of this clause is that the organization should track and audit changes in CI to ensure that CI is controlled and that CI information is consistent with the physical CI deployed in the system. 5. Examples of CI audit implementation requirements are as follows: Regularly review configuration items to ensure that the information in the configuration management database is complete, accurate and updated in a timely manner. The audit should be performed: after the implementation of major changes; after disaster recovery; other inspections or management requirements should be performed at least once a year. Regularly check the log information and audit operation records in the configuration management system, and report any suspicious situations immediately to ensure the operational security of the configuration database; regularly organize sampling inspections of the information in the configuration management database, and the sampling should cover all configuration item categories. The sampling ratio follows: for configuration items with a total of less than 10 items, the sampling ratio is 50%; for configuration items with a total number between 10 and 50 items, the sampling ratio is 20%; for configuration items with a total number of more than 50 items, the sampling ratio is 10 %wait.

1. The core of customer relationship management is value, which means long-term and continuous dynamic management of customer value identification, retention and development in the life cycle process of customer identification, preservation and development to achieve a win-win situation. Value judgment includes: the value provided by the organization to customers; the contribution of customers to the value of the organization. Customer relationship management includes three stages: collecting customer information and establishing a customer database; classifying customers and carrying out key account management; meeting customer needs, correctly treating customer complaints, and cultivating loyal customers. 2. Business environment refers to the customer's business environment, including external environmental factors such as policy, economy, technology, social culture, customers, competitors, etc., as well as organizational vision, strategic goals, internal organizational structure, personnel responsibilities, products/services, production line operations, and supply Internal environmental factors such as chain management, customer relationship management, application systems and IT infrastructure. 3. The basis for establishing service performance indicators is service management objective 6.2, service delivery 8.2.1, and target indicator 8.3.3 in the service level agreement; 4. Service complaints are part of the satisfaction evaluation. There should be dedicated personnel to manage the entire process of service complaints, which includes complaints filing, reception and recording, processing, confirmation, closure, reporting and other activities. Complaint channels should be part of the organization's communication channels, and multiple complaint channels should be established. If the complaint cannot be resolved through normal channels, the organization should provide other channels to resolve the complaint in an escalating manner, such as the management hotline, etc.

1. The monitoring requirements for services and SLA are as follows: the service items that need to be monitored should be clearly defined based on the SLA and service catalog; the implementation process and key activities of each service item (customer business activities supported by the service) should be clarified. Record information of implementation operations should be obtained for the implementation process, including: service records, such as incident tickets; work logs; service reports, such as weekly reports, monthly reports, etc.; customer satisfaction. For key activities, information system status information should be obtained, including: load conditions, including average values, peak and trough values, and periodic changes; physical status; availability, performance and security status; system configuration parameters. 2. Target values ​​of evaluation indicators: service/system availability indicators; service/system performance indicators; service/system security indicators; service/system capacity indicators; service/system continuity indicators, such as RTO, RPO; service execution indicators, such as The completion rate, accuracy rate and timeliness rate of each task, etc. The organization should estimate the actual value of the evaluation indicator based on the collected monitoring information, compare it with the target indicator, and conduct SLA review. Key points about the review include: the evaluation method should be clear, including measurement and statistical methods; the service level should be evaluated item by item based on the service monitoring results. The degree of indicator satisfaction; giving a conclusion on whether the SLA is met and the degree of satisfaction; and determining the SLA maintenance or change requirements based on the SLA evaluation conclusion. 3. The review results should be summarized to form a service level report. The main contents of the report include: service SA satisfaction degree; customer satisfaction status. For those that do not meet the SLA, identify the reasons for the deficiency and propose improvement measures, including: service catalog and service level optimization; service organization optimization including: positions and personnel; service capability optimization including: skills and training; service process optimization; service resource optimization; service Scheduling optimization; other improvements.

1. Supplier performance should establish performance indicators based on the results provided, and conduct daily tracking, monitoring and evaluation as the basis for regular re-evaluation, continuous selection or exit. It should be based on the SLA (i.e., the entire service performance indicator) signed with the customer, consider the supplier's responsibilities and deliverables, and combine the dependencies between services, service components, CI, etc. established in Configuration Management 8.2.6 to clarify the supplier's responsibilities and deliverables. The role of parties and deliverables in the entire service is determined, and performance indicators are ultimately determined. 2. The risk identification of external suppliers should be based on performance deviation (deviation from customer SLA), specifically including: the risk of direct performance deviation; lack of, insufficient or inadequate personnel, tools, assets, information, etc. that support the results delivered by external suppliers. Risks that may be caused by changes, which will ultimately be reflected in the risk of direct performance deviation; risks controlled by external suppliers, such as external suppliers' operating conditions, bankruptcy, compliance, etc. 3. The interface with external suppliers includes communication interfaces between personnel, interfaces between the management systems of both parties (such as customer relationship management systems, project management tools, etc.), and operation and maintenance management tools (such as management tools used by both parties). interface, etc. 4. Regularly review the external supplier's satisfaction with the contract to resolve disputes between the two parties, contract changes, etc. Contract reviews should be organized and carried out regularly by specialized departments or personnel, and it should be clear whether both parties should maintain the contract or change it. For external suppliers that deviate significantly from contract requirements, exit measures should be taken. To evaluate the impact of contract changes on SMS and services, you should refer to the impact benchmark in 8.5.1.1. If the impact is large, appropriate countermeasures should be taken. For example, for external suppliers that want to withdraw, backup plans should be made in advance to redesign and convert services. (8.5). For disputes between the parties, the provisions of the contract should be implemented and the issues should be resolved and closed directly.

The organization should enter into agreements with internal suppliers or customers that include service level objectives, other commitments, activities and interfaces. The management process of internal suppliers or customers as suppliers can refer to the external supplier management process in 8.3.4.1. The establishment of service level objectives and performance indicators can refer to the external supplier's service level objectives, performance indicators and other related content (8.3.4.1). The content organization of the agreement may refer to the relevant content of the external supplier contract (8.3.4.1). The definition and management of interfaces can refer to the content related to external provider interfaces (8.3.4.1). The organization should regularly monitor and evaluate the performance of internal suppliers or customers to determine whether service level objectives or other agreed commitments are met, and require external suppliers to improve.

The organization should clarify the service cost objects and cost classifications. The cost objects include the organization's tools and assets (software and hardware), personnel, IT infrastructure, locations, etc. that support the service. The cost classification includes direct costs, indirect costs and allocable indirect costs, such as : Whether the cost object is included in the cost estimate is secondary to whether the object belongs to the organization. The part shared and jointly constructed by both parties is an allocable cost. The organization should regularly monitor, evaluate, and report actual costs and review budget effectiveness.

1. Manage service requirements to ensure that the organization obtains service requirements in a timely manner and converts them into SLA-signable services as much as possible to increase service revenue. 2. Service needs originate from customer business changes, and demand acquisition is the starting point of the service life cycle process. The key to demand management is to establish a demand analysis model. For a specific customer, the model mainly includes the following contents: Input: including customer business, customer IT systems and services, as follows: —Customer business: Distinguish between the customer's core business and supporting business, focus on the current status and development trends of the core business, especially the changing trend of business capacity. Special attention should be paid to the time sensitivity of business capacity, that is, the peak period of business capacity and special dates. Business capacity (such as Double Eleven and other dates for Internet business); 1. Customer IT systems: upgrades, scrapping, resource capacity (such as effective utilization rate), new technology adoption, new system launch, application migration to cloud computing, etc.; One-to-one services: Status of running services (services in the customer service catalog) (including service effective usage or consumption, service satisfaction with SLA, customer evaluation of service pricing), service change requests, customer evaluation of service providers and changes, etc. Output: including customer business, customer IT systems and services, as follows: 1. Customer business: new business capacity (including business capacity during peak periods and special days) and demand for computing power or business services; Customer IT system: new additions and changes in functions, performance, capacity, etc., as well as corresponding technical service needs; One-to-one services: Customer service providers that have withdrawn, customer core business operational performance, customer SLA satisfaction, customer evaluation of service cost performance, as well as new service requirements and changed service requirements; New service requirements or changed service requirements may be identified and documented through 8.2.2. 3. Demand management is closely related to capacity management. Changes in the resource capacity of the customer system can generate demand for business services (computing power) and technical services (such as inspections, fault handling, etc.). The prediction from business capacity to resource capacity here also applies. for capacity management. Demand management should be related to financial management, and demand should be quantified with financial data to facilitate organizational management to predict and manage the impact of demand on finance. The organization should deploy or adopt the customer's existing testing tools. Obtain the input data of the demand analysis model, conduct demand analysis regularly, and form a demand analysis report, focusing on the customer's existing service consumption and new service needs. 4. When appropriate, the organization can use the demand conversion rate (converted to formal SI, A) as a performance indicator of SMS.

1. Clarify the sources of capacity requirements and determine, record and maintain resource capacity requirements. The sources of capacity requirements are service and performance requirements, while resources include four types of resources: human, technical, information and financial. 2. When considering customer business operations, organizations should pay attention to three levels of capacity, namely business capacity, service capacity and resource capacity. The cost of the organization is ultimately reflected in the consumption of four resources: human resources, technology, information and financial resources. 3. Capacity planning includes capacity forecasts, expected impacts of predicted capacity, and time scales and thresholds for capacity changes. 4. Time scale refers to the average measurement of the time it takes to complete a certain physical process. Generally speaking, the slower the evolution of a physical process, the longer its time scale. The larger the spatial range involved in a physical process, the longer its time scale. The time of change of service capacity can be regarded as the speed of change of service capacity. If the change of service capacity is stable and the time scale is long, the change of resource capacity is small and the prediction model is simple. On the contrary, the prediction model is complex: and the prediction accuracy is relatively low. Low. In short, the small time scale means that the service capacity changes drastically. Determining factors for the timing of changes in service capacity include: 1) The degree of oscillation of the customer's business capacity line, such as peak and trough alternating frequency and curvature; 2) The peak value, trough value, normal value of customer business capacity and their corresponding time periods (for example, 9 to 11 am is the peak period); 3) Load balancing of service components. 5. After the service deployment is completed according to the capacity plan, monitoring and analysis measures should be taken to verify whether the capacity meets the service capacity and performance requirements. If there are deviations, improvement measures should be proposed. Capacity monitoring content includes: computing resources, transmission resources and storage resources, such as: 1. Computing resources: performance indicators such as effective utilization of memory, CPU, etc. and timely response rate; 2. Transmission resources: effective bandwidth utilization and performance indicators such as QoS and delay; 3. Storage resources: performance indicators such as effective utilization of storage space and timely response rate. To analyze monitoring data and generate alarms (such as performance failures caused by insufficient capacity, etc.), this requires setting a capacity threshold as the basis for alarms.

1. The organization should clarify its change management policy and formulate a formal document. The change management policy includes: assets (or CI) and other factors (such as SLA) that fall within the scope of change management; change types and disposal processes; and the assessment basis for the impact of the change. Service components subject to change management control should include all assets and other factors that support the service, as described below: ——Assets that support customer business operations: mainly refer to information systems, computer room physical facilities, etc. ——The organization's assets that support customer business operations: If the organization only provides technical services, the assets refer to service monitoring and management tools. If the organization also provides assets that support customer business operations (see the previous item), these assets should be subject to change management control; ——Supplier assets: Depending on the services, service components and functions provided by the supplier, it may provide service monitoring and management tools, or it may provide service components to the organization, and then the organization deploys them to support customer business operations. In information systems, these assets should be subject to change management controls. ——Change type: Changes are usually classified based on the two dimensions of information asset type and technical activities, such as installation and deployment, upgrades, patches, transformations, migrations, scrapping, etc. 2. Change level is a more stringent classification of change, usually based on the degree of impact of the change: The basic factors for assessing the level of change are catch-up (time is the basis) and degree of impact. The analysis of the degree of impact should comprehensively consider the following factors: ——System or service events: such as reduced efficiency, interruptions and leaks; ——Systems or services involving the country and society should give priority to leaks, focusing on personal safety and intangible impacts; ——Systems or services with strong real-time nature should give priority to interruption events, mainly focusing on the impact on finance, customers, production capacity, reputation, brand, etc.; ——For systems or services that are only used internally, priority should be given to efficiency reduction events, mainly the impact on production capacity; ——Systems or services used by customers should give priority to interruption events, focusing on the impact on customers, production capacity, etc. 3. Set the change level according to the change assessment rules, which should at least include: Standard changes: changes with mature operations, high repeatability, and minimal impact; General changes: changes that have a certain impact on the system and require the participation of IT and business managers in the review; Important changes: changes that require review by top leadership; Emergency change: The change time requirement is urgent, and the focus is on the success rate of the change and the timeliness of completion. 4. To track the change execution process, the change status should be clear, such as: new, reviewed, planned, under review, reviewed, scheduled, implemented, waiting, modified, completed, closed, etc.

1. Adding requests for services may generate new services, and deleting or transferring services will have a greater impact on the customer service catalog and SLA, requiring changes to the customer service catalog and SLA. In these cases, services may need to be redesigned and converted. 2. The source of adding, deleting or transferring services is Service Demand Management 8.4.2, and forms a service change request that meets certain conditions and falls within the scope of organizational responsibilities or contracts. SLA needs to be signed and the service design and conversion process must be executed. Finally, Deployed and implemented in customer business systems. 3. Changes in assets or CI and other factors include: a. Service changes caused by changes in customer business operations require service design and conversion; b. Changes in customer IT infrastructure cause service changes, requiring service design and conversion; c. Changes in the customer's business environment (see 4.1, 8.3.2) lead to changes in the customer's business operations and changes in the customer's IT infrastructure, which require service design and conversion.

1. Change requests should be approved and prioritized. The decisive factors for approval and priority include risk, business benefit, feasibility and financial impact. 2. The change request should be formed into a standardized document (such as an RFC form), which includes: basic information of the change initiator, change object and scope, change proposal time, change content, change reason, change risk, change type, change level, Change status, change plan, change failure handling plan (rollback, recovery, emergency, etc. plans), cost budget, etc. and other necessary factors. 3. The change approval organization may include: change administrator: conduct preliminary screening of change requests, change manager: approve general changes, change management committee: approve emergency or major changes, the above organizations usually require service providers, customers, suppliers and other necessary Personnel composition. The inputs required to approve changes (especially major changes) include: change request form, preliminary review and acceptance opinions, change implementation plan, change failure handling plan (rollback plan, emergency remedial measures, etc.), personnel organizational structure, responsibilities introduction, Description of technical feasibility, description of problems or benefits to be solved, cost budget description, description of risks, business impact and disposal measures. 4. Change test requirements are as follows: The following should be tested: built changes, implementation plans, fallback plans, backup plans, and contingency plans. A change test plan should be prepared based on test content, personnel, time schedule, etc. The main content includes: test type, such as unit test, integration test or regression test, etc.; test objectives and test content; test case design; test environment construction; test method and Tools; test record templates; test issue tracking templates; test report templates; tester organization and responsibilities; test schedule. A special testing environment (such as a quasi-production environment) should be built, and change testing in the production environment is prohibited; The following work should be carried out during the test execution process: test recording; test problem discovery and tracking; problem handling; test conclusion. 5. For changes that are approved after verification, an implementation plan should be formulated and the plan should be notified to customers, suppliers and other relevant parties. The main contents of the implementation plan include the following: implementation content and scope; built changes and rollback or remediation plans, emergency plans, etc.; production environment preparation inspection; implementation tasks and allocation; personnel organization and responsibilities; deployment schedule; and other necessary factors. 6. Records and reports related to changes should be regularly collected and sorted out, statistics on the implementation of changes should be made, and development trends should be identified. The main contents include: ——Quantity: total change requests, filtered change requests, approved change requests, successful/failed changes, emergency changes, and the number of changes of various types/levels (including the number of standard changes); ——Time: the average processing time from request to closure and the average time of each link (such as the average approval time); ——Distribution: Quantity distribution on assets/CI, quantity distribution on cost range.

1. The planning work should form a planning report. In addition to the background, principles, goals, implementation plan and path, the report content should also include: a) It is required to establish the organization and responsibilities in the entire service implementation process. The positions or personnel in the organization include personnel engaged in service planning, service designers, service construction personnel, service conversion personnel, etc., as well as corresponding management. These personnel should be distinguished They are personnel belonging to the organization, customers or suppliers. Customer or supplier personnel should be controlled in accordance with the requirements of 8.2.3 and 8.3.4; b) It is required to clarify the tasks and work processes of the organization and other relevant parties and formulate work plans. It not only requires an overall work plan to grasp the overall progress of service realization, but also requires the development of separate work plans for the organization, customers or suppliers, and final coordination Complete service implementation consistently; c) Clarify the resources required for service implementation, which is also the cost component of the organization. 8.4.1 should be followed to quantify resource costs and control cost consumption. These costs include the cost of purchasing supplier results (services, service components, service processes) and the cost of customer participation in service implementation; d) It is determined that other services with dependencies may change, which will generate associated tasks and costs. The associated tasks should be included in the person's work plan, and the associated costs should be included in the service cost; e) The work plan should include the arrangement of the required tests, and the cost of testing should be included in the service cost; f) Whether the service is necessary to meet customer requirements after implementation. The acceptance criteria include: ——Meet the SLA requirements signed by both parties (organization and customer); ——Meet the cost financial management requirements of both parties 8.4.1; ——Comply with laws, regulations and other necessary compliance requirements; g) Emphasize that the service goals or expected results are measurable to ensure the operability of the acceptance criteria; h) Risk management and control in service practice. According to the requirements of 8.5.1.1 and 8.5.1.3, the impact on SMS, other services, plan changes, customers, users and other relevant parties can be assessed. If the impact is unacceptable, risk disposal measures should be taken. . 2. For those affected by new or changed services, Ci affected by the new or changed services shall be managed according to Configuration Management 8.2.6. Its implementation requires establishing a connection between change management and configuration management, specifically including: ——Identify and label the or affected CIs in change management, and verify that the CIs in the remaining configuration libraries are consistent; ——Track the changes or affected CI, and after completing the change implementation, pass the final CI information to the configuration manager; ——According to the CI information passed, change the corresponding CI information in the configuration library, and complete the CI update after verification and comparison.

1. The organization should carry out service design work on the basis of service planning to ensure that the service planning results are feasible and implementable. Service planning focuses on setting out framework requirements for construction tasks. It is a blueprint-style plan for management, while service design is a design plan for development engineers. It should be based on the importance and scale of the services to be implemented to clarify whether preliminary Design or detail design, and construction drawing design involving physical deployment (such as involving the construction of computer room facilities). 2. Clause d) requires a review of the design plan to meet new or changed SLA, contract and other documented agreement requirements, which is a more specific acceptance criterion; Clause e) emphasizes the risks of SMS changes, involving the establishment of new or changes to policies, plans, processes, procedures, measures and knowledge in SMS, and appropriate response measures should be given; Once the service has been designed, the customer service catalog should be updated before building and transitioning.

1. The organization should build new or changed services and complete testing work to confirm whether relevant standards (including service requirements (such as SA), design solutions, and service acceptance criteria) are met. 2. The results of service construction are presented in the following types: a) Software packages that support customer business operations; b) Integrated equipment and facilities that support customer business operations; c) Software and hardware integration combination including the first two items; ——Cloud services, such as IaaS, PaaS, SaaS, etc.; ——Data services that support customer business operations, such as data storage, data analysis, etc.; ——Technical activities/technical services such as installation, deployment, upgrade, reinforcement/patching, security incident or fault handling, configuration operations, inspections and inspections, assessment and evaluation, and auditing of customer business systems; ——Others, such as video and audio services, etc. 3. The built service should also include business environment factors that are consistent with the service result type, as follows: ——Physical environment: including computer room air conditioning, electricity, cabinets, integrated wiring and other equipment and facilities, spatial layout, physical connections, etc.; ——Network environment: network architecture and core equipment, network physical topology and logical topology (such as network protocols and ports); ——Computing environment: configuration and connection of physical or virtual servers, storage, etc.; ——Security environment: configuration and connection of network boundaries, security equipment, etc.; ——Management environment: the connection between personnel and organizational requirements, technical activities, service processes, etc. That is to say, merely providing a software package is not the "service" required by customers. The operating environment factors of the software package must also be considered and integrated into the service design. 4. Testing is a test before deployment. The test environment should be a non-production environment. A test environment should be built as similar to the production environment as possible. For example, many financial institutions have built a "quasi-production environment" that is similar to the production environment. When building a test environment, the business environment factors mentioned above should be considered. Technology selection, deployment, and configuration should consider service requirements (such as SLA), design plans, service acceptance standards, etc. 5. After releasing and deploying results, the organization should establish the corresponding relationship between the expected results (goals and blueprints in planning, results in design plans, result types in service construction, etc.) and actual service deployment and operation, and provide Determine the matching degree and submit it to customers, suppliers, regulators, etc.

1. According to different levels, it can be divided into the following three categories: 1) Major release: A large rollout of new hardware and software, usually accompanied by major feature enhancements. This release typically eliminates multiple known bugs and includes temporary workarounds and temporary fixes. In practice, many organizations treat major releases as emergency releases. 2) Small software releases and hardware upgrades: This type of release usually refers to some small improvements and fixes to known bugs. Some may have been implemented earlier as emergency fixes but are now included in the release. This release also ensures that the "Previous Trusted State", the starting point for all testing, is updated. 3) Emergency fix: Usually used to temporarily fix a problem or known error. 2. According to the scale of release, it can be divided into: 1) Emergency Release: A small number of corrections to known errors and quickly implemented solutions; 2) Small release: a certain number of improvements and corrections of known bugs 3) Large-scale release: Generally, it is the first release of new software and hardware or a major improvement to the functionality of the existing architecture. 3. According to the completeness of the release package, the release can be divided into: 1) Full release: refers to releasing a complete set of programs, including those parts that have not been changed; 2) Delta release: Use Delta release when the release contains only a small number of changes; 3) Package release: the release of a set of software that is dependent and related to each other. 4. The criteria for judging whether a release fails or succeeds include: 1) Publish to meet customer service goals or service requirements, such as functionality, performance, security, etc.; 2) The release is consistent with the IT architecture of the customer’s business system; 3) The status of the release and other components (supporting the customer's business operations) is normal, and the function/performance/security parameters are within the expected value range; 4) The release matches the required connection or associated service component (relationship, see 8.2.5 Configuration Management); 5) The effective running time of releases and other components complies with contract requirements. 5. Monitoring content includes: 1) Security indicators of services and business systems (such as data integrity check, encryption, etc.), availability (such as service availability 99.9%), and continuity (such as service RPO, RTO); 2) The status, function/performance/security parameters, CPU/memory/storage/bandwidth, etc. of releases and other components (that support customer business operations); 3) System failures, security incidents, interruptions, etc.; 4) Other required parameters. 6. After the deployment is completed, an effectiveness review should be conducted and improvement measures should be taken, including: 1) Summarize the documents in the release and deployment implementation process (including failure handling) and the monitoring data of the information system, analyze the release accordingly, and finally obtain the result of successful or failed release, compile a release and deployment report, and submit it to relevant square; 2) Review failed or successful releases, analyze, judge, and confirm the reasons for success or failure, clarify improvement responsibilities for failed releases, and put forward improvement requirements until the needs are met.

The organization should make the information security policy available to relevant personnel through appropriate means, clarify the importance of following the security policy, and the applicability of the security policy to SMS and services. The organization should identify possible risks based on the organizational and customer service components and data involved in the responsibilities of relevant personnel in the service life cycle, select applicable information security policies based on the risks, and then provide relevant personnel with information through document access, training, etc. Communicate information security policy. Suitable people include: people within the organization; customers and users; external providers, internal providers and other interested parties.

1. Establishing the environment mainly includes clarifying the scope, objectives and assessment criteria of risk assessment. The assessment criteria include: risk level rules; risk acceptability, risk preference; assignment rules for assets, vulnerabilities, threats, etc.; risk calculation models, etc. Risk identification includes asset identification, threat identification, and vulnerability identification. Risk analysis includes establishing the relationship between assets, threats, and vulnerabilities, and calculating the possibility and impact of risks (see the change impact analysis method in 8.5.1.1). Risk assessment refers to ranking risks according to risk level rules. Risk disposal refers to determining acceptable and unacceptable risks based on risk acceptance levels and risk preferences, selecting safety measures for unacceptable risks, taking into account costs, benefits, urgency, etc., and setting disposal priorities. 2. The risk disposal plan is the work arrangement after selecting safety measures, including the risks to be handled, control strategies, response measures, responsible persons, disposal time, residual risks, etc.; 3. After deploying security control measures, the corresponding relationship between the service and information assets (including data) should be established in advance according to the service configuration relationship (8.2.6), and an access path similar to the service availability (8.7.1) should be formed. Carry out the following monitoring, evaluation and review work on all assets on the access path. 1. The network security architecture and design are consistent, such as network security area division, security equipment deployment, boundary security measure deployment, etc.; 2. Security function configuration must be consistent with security policy requirements; 3. Vulnerabilities on assets that should be addressed are repaired; 4. Known threats are contained; 5. For newly identified or unpatched vulnerabilities, use penetration testing methods to verify that the difficulty of being exploited by threats exceeds the tolerable level; 6. The entire service or customer business system meets national or industry regulatory requirements, such as network security level protection requirements, etc.

1. Manage the information security incident handling process, including incident extraction, recording, analysis and delegation, processing, upgrade, resolution and closure, etc. These contents can be implemented with reference to the relevant contents of Incident Management 8.6.1. 2. Determine information security strategies based on information security risks, select, implement, and operate information security controls based on risks and strategies, and form an information security risk disposal plan. 3. Regularly form information security incident reports and submit them to relevant parties. The main contents of information security incident reports include: 1) Event discovery time, assets, and impact; 2) Analysis of the causes of the incident, that is, vulnerability and threat conditions; 3) The handling process and results of the event; 4) Changes caused by events; 5) Summary of causes and improvements, such as improvement measures to reduce the frequency of incidents, mitigate damage and avoid recurrence; 6) When necessary, hold accountable and punish;