White Paper - What is Iso-iec 20000

7/28/2019 White Paper - What is Iso-iec 20000

http://slidepdf.com/reader/full/white-paper-what-is-iso-iec-20000 1/11

Copyright © 2012 by InterProm USA. All Rights Reserved www.InterPromUSA.com

What is ISO/IEC 20000?

An Introduction To The International

Information Technology Service Management Standard

By Mart Rovers

PresidentInterProm USA Corporation

April 2011



What is ISO/IEC 20000? Mart Rovers

Page 2

Contents

INTRODUCTION ................................................................................................................................................... 3 SERVICE MANAGEMENT SYSTEM ............................................................................................................... 4 QUALITY PRINCIPLES ...................................................................................................................................... 5 A PRAGMATIC NORM......................................................................................................................................... 6 ISO/IEC 20000 CONTRIBUTIONS ............................................................................................................. 6 BENEFITS................................................................................................................................................................. 7 THE CERTIFICATION PROCESS ................................................................................................................... 8 QUALIFICATION SCHEME............................................................................................................................... 9 PUBLICATIONS..................................................................................................................................................... 9 USEFUL LINKS..................................................................................................................................................... 10 ABOUT THE AUTHOR ....................................................................................................................................... 10 ABOUT INTERPROM USA............................................................................................................................... 10




Page 3

Introduction

ISO/IEC 20000 is the international normfor Information Technology ServiceManagement (ITSM). ISO/IEC 20000 isthe offspring of the British Standard15000 (BS 15000), a standard of theBritish Standard Institute which originatedin the 90s. In other words, the ISO/IEC20000 standard has been contributing tothe ITSM field of expertise for manyyears, even though it was formallylaunched in December 2005. Initially, theBS 15000 standard was introduced tomeasure the level of implementation of

ITIL®’s best practices in an organizationor its adherence to the goals of the ITILprocesses.

Since the introduction of the standard in2005, both the International Organizationfor Standardization (ISO) and theInternational Electro-technicalCommission (IEC) have released severaladditional parts of the ISO/IEC 20000standard:

• ISO/IEC 20000-1:2011

Service Management SystemRequirements; the normative standardthat is used for certification audits

• ISO/IEC 20000-2:2012Guidance on the Application of ServiceManagement System; the informativestandard which providesrecommendations for implementingthe requirements

• ISO/IEC TR 20000-3Guidance on Scope Definition andApplicability of ISO/IEC 20000-1; aninformative standard providing adviceregarding scoping, applicability andconformity

• ISO/IEC TR 20000-4Process Reference Model; aninformative standard providing aprocess reference model

• ISO/IEC TR 20000-5Exemplar Implementation Plan; aninformative standard providing asample implementation plan

Additional parts are expected to bereleased in 2012 and 2013.

The core components of the standard arethe first two documents:• Part 1: ISO/IEC 20000-1: a document

with 256 requirements a serviceprovider “shall” adhere to whenseeking ISO/IEC 20000 certification.Each requirement has the word “shall” in it.

• Part 2: ISO/IEC 20000-2: a documentwith more than 800 recommendationsa service provider “should” take intoconsideration when desiring to meetthe requirements of Part 1 of thestandard. Each recommendation hasthe word “should” in it or the words “can” or “could”.

ISO/IEC 20000 is a worldwide standardthat describes the implementation of anintegrated process approach for thedelivery of IT services. It consists of a setof minimum requirements to audit anorganization against effective IT ServiceManagement. The standard promotes theadoption of an integrated processapproach to effectively deliver managedservices to meet the business andcustomer requirements.For an organization to function effectivelyit has to identify and manage numerous




Page 4

linked activities. Furthermore, ISO/IEC20000 promotes the coordinatedintegration and implementation of theservice management processes to providethe ongoing control, greater efficiency andopportunities for continual improvement.

The diagram below shows the structure of the ISO/IEC 20000 standard. Thefoundation of the standard is the ServiceManagement System (green rectangle).With this foundation in place, the serviceprovider is able to Design and TransitionNew or Changed Services (bluerectangle). The Service DeliveryProcesses, combined with the RelationshipProcesses, the Resolution Processes andthe Control Processes perform thestrategic, tactical and operational servicemanagement activities.

4. Service Management System (SMS)

Management responsibility

Governance of processes operated by other parties

Documentation management

Resource management

Establish the SMS

Plan the SMS (Plan)

Implement and operate the SMS (Do)

Monitor and review the SMS (Check)

Maintain and improve the SMS (Act)

5. Design and Transition of new or changed services

6. Service Delivery ProcessesCapacity management

Service continuity &

availability management

Service level management

Service reporting

Information security

management

Budgeting &

Accounting for services9. Control ProcessesConfiguration management

Change management

Release and deployment

management

7. Relationship Processes8. Resolution Processes

Incident and service requestmanagement

Problem management

Business relationshipmanagement

Supplier management

The ISO/IEC 20000 Structure

Service ManagementSystem

The Service Management System (SMS) iswhat will be audited for certification. TheSMS is the framework of processes, toolsand resources (human resources,technology resources, informationresources, and financial resources)coordinately used to plan, execute,document and continually improve servicemanagement tasks in a goal-oriented,

customer-oriented and quality-orientedway. Important aspects of the SMS are:

• Management Responsibility• Governance of Processes Operated

by Other Parties• Documentation Management

• Resource Management

The standard also provides therequirements of the steps involved toestablish and maintain the SMS. Thesesteps follow the Quality Circle of Deming:Plan-Do-Check-Act:

• Plan the SMS (Plan)• Implement and Operate the SMS

(Do)• Monitor and Review the SMS

(Check)• Maintain and Improve the SMS

(Act)

Some of the important business-analyst-type questions addressed in the SMS are:

1. What are the customer andbusiness requirements, needs andexpectations

2. What are the statutory and legalrequirements the service providerneeds to take into account?

3. Are there requirements of standards the service providerneeds to abide by?

4. Does the service provider have

contractual obligations to adhereto?5. What are the service requirements,

as a result of these requirementsand obligations as listed above?

6. What is the portfolio of servicesthat is needed to meet theseservice requirements?




Page 5

7. What is the service managementpolicy and what is the servicemanagement plan, i.e. the servicestrategy, to meet these servicerequirements?

The execution of the service managementplan will be performed by the 14 ISO/IEC20000 processes. The process, whichturns the service requirements into newservices and make changes to existingservices, is the process that is called:Design and Transition of New or ChangedServices. This process manages servicechanges and has many projectmanagement characteristics.

The remaining 13 processes are combinedin the following sets of processes:

Service Delivery Processes

1. Service Level Management2. Service Reporting3. Service Continuity and Availability

Management4. Budgeting and Accounting for

Services5. Capacity Management6. Information Security Management

Relationship Processes

7. Business Relationship Management

8. Supplier ManagementResolution Processes

9. Incident and Service RequestManagement

10. Problem ManagementControl Processes

11. Configuration Management12. Change Management13. Release and Deployment

Management

Ultimately, the SMS serves one majorpurpose: turning customers with needs,expectations and requirements intosatisfied customers. This is why thestandard focuses on effectiveness.Overtime, the focus can shift towardsefficiency by means of continuousimprovements.

Quality Principles

ISO/IEC 20000 is based on many

frameworks, one of them being ITIL. Thisdoes not imply that an organization isrequired to embrace the ITIL bestpractices in order to meeting thestandard’s requirements. One can alsoconform to the ISO/IEC 20000requirements by adopting the COBITframework for example, and/or bestpractices and norms stemming fromCMMI, Six Sigma, ISO 9001, ISO/IEC27001 and others. ISO/IEC 20000 is ‘framework neutral’.

ISO/IEC 20000 combines the world of quality and continuous improvement(Plan-Do-Check-Act) of the serviceprovider’s IT processes, and the ServiceManagement System that is part of thenorm. With this, ISO/IEC 20000 providesan answer to the need of a clear andconcise defined level of quality within theITSM field of expertise.

ISO/IEC 20000 incorporates all of theeight quality management principles of

ISO 9001:

Every ISO/IEC 20000-1 requirementsupports one or more of these qualityprinciples. What does this mean? For




Page 6

example, when meeting the requirementssupporting Customer Focus, the serviceproviders’ culture has changed to beingmore focused on customers. In otherwords, implementing the requirements of the standard will bring a cultural and

organizational change. This includes, butis not limited to, better communication,increased transparency, less dependencyon key personnel, disappearing IT silos,improved governance, and last but notleast increased value delivery throughquality services and predictable servicelevels.

A Pragmatic Norm

Most likely, the best that ISO/IEC 20000has to offer is that it is a very pragmaticand common-sense norm. It is based onyears of practical experience and with thatit has become a collection of logical andclear requirements. One can apply it rightaway and the norm consists of only 36pages. This is why we think ISO/IEC20000 deserves special attention as wellas among service providers as serviceconsumers.

Representatives of more than 20countries, working together in the JointTechnical Committee 1 / Subcommittee 7of the ISO/IEC organizations, havecontributed to the 2011 version of thestandard through a transparent anddemocratic voting process.

ISO/IEC 20000 not only provides therequirements to design servicemanagement, it also describes therequirements to set up a ServiceManagement System, or a governancesystem if you will, as well as theprocesses in support of it all. The

requirements are focused on the effectivedelivery of IT services.

ISO/IEC 20000 requires IT’s leadership tocommit to the service and processrequirements, to the vision and mission of

IT as well as aligning it to the vision andmission of the business and/or customer.Furthermore leadership needs to committhe documentation of IT’s policies,processes, procedures, and plans as wellas the provision of the resources requiredsuch as human resources, technicalresources, information resources andfinancial resources.

ISO/IEC 20000

Contributions

The ISO/IEC 20000 standard is beingadopted globally by 1000s of companiesand organizations already. Many haveeven been certified. Not so much to usethe certification as a marketingadvantage, but most often to show to thecustomers of IT’s services that the ITdepartment/organization is taking thequality of services seriously.

Below you will find a list of considerationsthe ISO/IEC 20000 standard could be avaluable contribution:• When comparing IT service providers.

ISO/IEC 20000 provides uniform andcommon language as well as a normfor benchmarking

• When selecting an IT service provider.An IT organization can express addedvalue when offering its services anddistinguish itself from its competition

• When an IT department/organizationis looking for ways to betterunderstand the needs of the customer.ISO/IEC 20000 can be a norm toimprove IT governance

• When needing guidance to determinewhich best practices to focus on firstwhen adopting industry best practicesto improve the effectiveness and




Page 7

efficiency of the ITdepartment/organization

• When seeking increased transparencyof IT service provision costs, risks, ITbudgets and costs

• When looking for ways to implement

changes faster and more effective andwhen seeking for a norm to improveefficiency and effectiveness

• When attempting to better align the ITdepartment’s/organization’s servicesto a third party’s services, creating auniform chain of services in particularfrom a process perspective

• When looking for an effective methodand uniform guidelines to outsource oroffshore through a well-alignedprocess interfaces and common andconsistent nomenclature. A normwhich regulates outsourcing

• When seeking a norm for reliable andavailable quality IT services

• When looking for evidence that IT’sprocesses are in compliance withinternational financial and securitynorms, rules and regulations

• When going for a broad range of quality improvements within the ITdepartment/organization, as well asboosting IT’s professional image

• When looking for an independent and

non-biased baseline to weigh serviceproviders against and use it as a norm

Most likely you will find a reason thatresonates when going over this list whichmeets your short or long term service

quality improvement needs.

Benefits

ISO/IEC 20000 provides a framework andsystematic approach to managing the IT

Service Management processes to deliveran IT service that conforms to thecustomer expectations. ImplementingISO/IEC 20000 improves the effectivenessand efficiency of the business process andit saves money. Most companies

implementing ISO/IEC 20000 haveexperienced an increase in serviceeffectiveness and process efficiency,higher customer satisfaction, improvedservice quality and increased levels of business-IT alignment and IT governance.Not to mention the strategic guidance thatwas provided to top management to steerthe service provider’s organization in thedirection of higher value perception of theservices delivered.

An ISO/IEC 20000 certified IT departmentor IT organization complies with globallyaccepted norms regarding thedevelopment and the delivery of ITservices. For customers it will become

easier to compare these IT serviceproviders.

There are many other benefits of beingcertified or simply using the standardeven when not seeking certification.

Below you will find a few examples.• To qualify for new customers; more

and more companies and organizationsconsider ISO/IEC 20000 certificationan essential requirement forconducting business with a new vendor

• To enter global markets; the ISO/IEC20000 standards are widely recognized

• To objectively measure the level of compliance to industry best practices

• To have better information availablefor numerous purposes

• To better streamline to various processimprovements that may go onsimultaneously in an IT department




Page 8

• To provide guidance with prioritizingthe best practices to be implementedin an IT department

• To give a company or organization acompetitive edge

• To show a drive for quality services

• To objectively assess and benchmarkIT’s level of maturity• To increase customer focus and

transparency of value provided to thebusiness

• To establish a mentality of continualimprovement in IT

The Certification

Process

The ISO/IEC 20000 certification processconsists of seven steps:

1. Complete a Questionnaire2. Apply for an Assessment3. Conduct an optional pre-audit4. Conduct an Initial Audit (Stage 1)5. Conduct the Certification Audit

(Stage 2)6. Conduct Surveillance Audits7. Conduct the Re-certification Audits

Prior to contacting certification auditors, itis recommended to conduct self-

assessments or readiness assessmentsdone by an experienced consulting firm ora qualified internal auditor.

The very first step of the certificationprocess is to select a RegisteredCertification Body (RCB), an independentaccredited organization which isauthorized to perform ISO/IEC 20000

certification audits and that can certifyservice provider organizations. Thecertification body will get the processgoing by forwarding the questionnaire andthe application form for the certificationaudit.

In order to increase comfort levels todetermine whether the service provider isready for certification, one can have theRCB conduct a pre-audit. This optionalaudit that has no consequences as far asfailing or conforming to the standard iscomparable to a certification audit. Itprovides objective insight whether orwhen to pursue with the certificationaudit.

The certification audit consists of twostages. During stage 1, the lead auditorwill perform a document review. ServiceManagement System documents, such aspolicies, plans, processes, procedures, andagreements, are being reviewed oncompliance with the standard’srequirements.During this stage the scope of certificationis being agreed upon. In other words,which part, or which services, of theservice provider’s organization is beingcertified.

During stage 2, auditors will be looking forrecords (proof, evidence) that theManagement System is operated in linewith the documented Service ManagementSystem. In other words ‘show me thatyou are you doing what you say you aredoing’. This includes live interviews andonsite inspections. A Corrective ActionPlan (CAP) usually identifies the areas tobe addressed to close the gaps that havebeen identified during the several auditstages.

When meeting all the requirements, theRCB will grant certification to the serviceprovider for three years. During thistimeframe at least two surveillance auditswill be conducted to determine whetherthe service provider is still upholding therequirements.




Page 9

After three years a recertification audit isrequired to maintain certification.

Qualification Scheme

Especially for IT professionals involved inquality improvements of IT services atevery level, TÜV SÜD Akademie hasdeveloped a qualification scheme: ITService Management according ISO/IEC20000.

This certification program for individuals isnot only geared towards understandingthe basic ISO/IEC 20000 requirements,but its practical advanced modules alsofocus extensively on the essentialorganizational change aspects such asattitude, behavior and culture, somethingwhich comes along with an ISO/IEC 20000implementation effort. The certificationprogram serves as a viable and morefocused alternative to the ITILqualification scheme.

The Foundation level provides an overviewof the basics, the concepts and theimportant aspects of the ISO/IEC 20000standard.

The Professional level offers practicalknowledge to subject matter experts forquality services and processes in supportof value delivery to customers. TheProfessional courses to choose from are:

1. Management and Improvement of ITSM Processes (M&I)

2. Support of IT Services3. Control of IT Services

4. Alignment of IT and the Business5. Delivery of IT Services

The M&I certificate combined with twoadditional certificates qualifies a studentto seek the highest levels of certification.

The Associate Consultant/Auditor courseprovides a short track to these highestlevels.

These highest levels of certification consistof an IT Management Track for managersand consultants and an IT Auditor Trackfor Auditors.The Management Track consists of aConsultant/Manager course and anExecutive Consultant/Manager course, theMaster level of the qualification schemeduring which a project thesis is defendedbefore a committee.The Auditor Track consists of an InternalAuditor course and a Lead Auditor course.

Publications

When writing this white paper there is oneISO/IEC 20000 publication available thatis based on the latest version of the

standard, published by Van HarenPublishing:• ISO/IEC 20000-1:2011 – A Pocket

Guide

The standard can be purchased throughthe ISO organization’s websitewww.iso.org. Licenses of the standard areavailable through the ISO organizationand several publishers when desiring to

http://www.iso.org/

http://www.iso.org/

http://www.iso.org/




Page 10

place an electronic copy of the standardon the company’s Intranet.

Useful Links

Below you will find a few useful ISO/IEC20000 links.• ISO Organization:

http://www.iso.org • ISO/IEC 20000 Certification Exams:

http://tuvamerica.com/services/examinationinstitute/isoiec20000.cfm

• ISO/IEC 20000 Certification Training: http://www.interpromusa.com/index.asp

• ISO/IEC 20000 Books: http://www.interpromusa.com/index.asp

• ISO/IEC 20000 Special Interest Groupit SMF USA: http://www.itsmfusa.org

• ISO/IEC 20000 Certified Firms: http://www.isoiec20000certification.com/

• ISO/IEC 20000 RCBs: http://www.isoiec20000certification.com/

About the Author

Mart Rovers is the President of InterPromUSA Corporation. He has over 30 years of experience in IT and has been consultingand training in IT Service Management(ITSM) and Information SecurityManagement (ISM) since 1992.

He currently serves as the President of theitSMF USA Arizona Local Interest Groupand is the Chair Person for the ISO/IEC20000 Special Interest Group.

Mart is a certified ISO/IEC 20000 InternalAuditor and ISO/IEC 20000 ExecutiveConsultant/Manager (Master). He holdsthe ITIL® v3 Expert certification alongwith ISO/IEC 27001 Professionalcertifications. He has led numerousorganizations towards becoming ISO/IEC20000 and ISO/IEC 27001 certified and is

an accredited instructor for ISO/IEC20000, ISO/IEC 27001, and ITIL trainingcourses.Mart received his MBA degree inInformation Analysis and holds BSdegrees in Mathematics and in Marketing.

About InterProm USA

Since 1997 InterProm USA Corporation, isa vendor neutral ITSM and ISM consultingand training firm. InterProm USA wasactively involved in the first ITILimplementation project in the US duringthe mid-90s. Ever since, InterProm USA

has helped more than 500 US companiesand organizations of all sizes to benefitfrom ITIL, ISO/IEC 20000 and ISO/IEC27001 in various ways, ranging fromcertification training courses, workshops,assessments, consulting and coaching andimplementation projects. Our SPOT™model is the representation of our corecompetencies to your benefit.

InterProm USA prides itself by only usingits own highly experienced instructors and

consultants who have actually gonethrough and implemented ITSM bestpractices for more than a decade. Our toptrainers and consultants have more than20 years of full time ITSM/ITILimplementation experience.

InterProm USA is an LCS and TÜV SÜDAccredited Training Provider (ATP). Weuse our own LCS and TÜV SÜD-accreditedcourse materials and instructors.InterProm USA is accredited for all ITIL,ISO/IEC 20000 and ISO/IEC 27001-

certification training courses.

http://www.iso.org/

http://www.iso.org/




http://www.interpromusa.com/index.asp




http://www.itsmfusa.org/


http://www.isoiec20000certification.com/











http://www.iso.org/




Page 11

Documents

White Paper - What is Iso-iec 20000