ISO/IEC 20000 present and future - applicable to all IT enabled services
Lynda Cooper
BCS SMSG
July 2015
8/14/2015 1 Service 20000 Ltd 2015
Lynda Cooper • Project editor ISO/IEC 20000-1
• Chair of BSI committee
• UK representative to ISO committee
• Deputy chief examiner APMG for ISO20000
• Auditor for Exin for ISO20000, ISO27001, ITIL, Agile
• ISO27001 Lead Implementer
• UKAS assessor for ISO20000 and ISO27001 (assess the certification bodies)
• ITIL Master
• Independent consultant and trainer
• MBCS, CITP
8/14/2015 Service 20000 Ltd 2015 2
What do these have in common?
Service 20000 Ltd 2015 8/14/2015 3
Agenda • Introduction
• ISO20000 overview
• ISO20000 in a changing service environment
• The revision of ISO20000
• Your suggestions for the future of ISO20000
• Make it interactive – please
8/14/2015 Service 20000 Ltd 2015 4
ISO20000 pedigree • 1995 Book - Code of practice for ITSM
• 1998 Revised smaller edition book o awarded innovation of the year by ITSMF
• 2000 BS15000
• 2005 ISO/IEC 20000-1
• 2011 ISO/IEC 20000-1 • Other parts
o ISO/IEC 20000-2: 2012 : Guidance on the application of service management systems
o ISO/IEC 20000-3: 2012 : Guidance on scope definition and applicability of ISO/IEC 20000-1
o ISO/IEC 20000-5: 2013: Exemplar implementation plan for ISO/IEC 20000-1
o ISO/IEC 20000-9:2015: The application of ISO/IEC 20000-1 to cloud services
o Part 10 concepts and vocabulary o Part 11 – mapping to ITIL (not yet published)
o ISO/IEC 27013, ISO/IEC 90006 – Integration guidelines for 27001 and 9001
8/14/2015 Service 20000 Ltd 2015 5
Scope of ISO20000 • The management of Information, Communication
and Technology Enabled Services
• Examples o IT services
• Infrastructure management
• Application management
• Desktop support
• etc.
o Telecoms
o Media
o Cloud services
o Business process outsourcing
o …………………………….
8/14/2015 Service 20000 Ltd 2015 6
Non-IT Enabled Survey Who has an ISO20000
qualification?
Who works in an organisation with ISO20000 certification?
Who is sceptical about the value of ISO20000?
8/14/2015 Service 20000 Ltd 2015 7
What is ISO/IEC 20000
8/14/2015 Service 20000 Ltd 2015 9
• What it is: o A standard that includes the
design, transition, delivery and improvement of services that fulfil service requirements and provide value for both the customer and the service provider
o A management system standard (like ISO9001) that can be assessed for compliance
• What it is not: o A product or tool standard o A service standard o A maturity model
Customers
Service Provider Internal or External
Lead Supplier(s) or Supplier(s)
Sub-contracted Supplier(s)
Services
ISO20000 Myths
8/14/2015 Service 20000 Ltd 2015 10
• Lots of documentation that is purely for the standard
• Only for large organisations
• Only for IT infrastructure
• Based on ITIL, must use ITIL
• Too slow and bureaucratic
Typical benefits • Supports the business to operate more effectively • Improved quality of service
• Increased business/customer confidence
• Controlled costs
• Improved reputation, consistency and interoperability
• Enables better understanding of business, roles and processes
• Staff morale boosted by working in a controlled environment
• Major milestone for a service provider: demonstrates professionalism and serious intent
• Competitive edge for selection of an external service provider • Provides method of review that assures continual
improvement
• Ability to develop integrated management system
• Turns the ‘shoulds’ into ‘shalls’ leading to fully integrated processes
8/14/2015 Service 20000 Ltd 2015 11
ISO/IEC 20000 processes
8/14/2015 Service 20000 Ltd 2015 12
The generic
management
system
processes
The SM
processes
Service management system (SMS) (4) Management responsibility Governance of processes operated by other parties Establish the SMS Resource management - Scope - PDCA Documentation management Resource management
Service delivery processes (6) Capacity management Service level management Service reporting Service continuity & availability management
Relationship processes (7)
Business relationship management
Supplier management
Resolution processes (8) Incident and service request management Problem management
Information security management
Budgeting & accounting for services
Design and transition of new or changed services (5)
Control processes (9) Configuration management
Change management Release and deployment
management
Further information • BSI books
o A managers guide to service management
o Introduction to the ISO/IEC 20000 series
• APMG web site ISO20000 blogs
• http://blog.apmg–international.com/author/lynda–cooper/
• Many LinkedIn forums
• Qualifications o BCS ISO20000 Foundation
o APMG ISO20000 Foundation, Practitioner, Auditor
o Exin
o PeopleCert
8/14/2015 Service 20000 Ltd 2015 14
Questions • Can ISO 20000 help you create, deliver,
support and improve technology that enables your business?
• If ISO20000 is based largely on ITIL, then how can ISO20000 be relevant today when ITIL is largely out of date?
• Do you believe that you can use a standard to help drive change and simplify what, how, who, when and why technology for an organisation?
• How can ISO20000 help SIAM, Agile, ITSM and business governance?
8/14/2015 Service 20000 Ltd 2015 15
ISO20000 and changing service environments
Is ISO20000 applicable for changing services environment
such as Cloud, 'as a service' models, SIAM, Devops,
LeanITSM, Agile and ITIL.
8/14/2015 Service 20000 Ltd 2015 16
ISO20000 and other frameworks
• Principle: ISO/IEC 20000-1 should allow the use of any framework,
commercial or public, in order to
achieve certification.
• ISO standards are not allowed to
favour one framework
8/14/2015 Service 20000 Ltd 2015 17
ISO20000 and ITIL
8/14/2015 Service 20000 Ltd 2015 18
• ITIL is the most
common
framework used
with ISO20000
• ITIL and ISO20000
have different
purposes so they will
never be the same Problem
CMDB
Incident
ISO20000, Cloud and ‘as a service’ models
• See ISO20000 part 9 – the application of ISO/IEC 20000-1 to cloud services
• A typical cloud services lifecycle is followed with reference to part 1 requirements
• The scope of part 9 states: o This part of ISO/IEC 20000 provides guidance on the use of ISO/IEC 20000-
1:2011 for service providers delivering cloud services. It is applicable to different categories of cloud service, such as those defined in ISO/IEC 17788/ITU-T Y.3500 and ISO/IEC 17789/ITU-T Y.3502, including, but not limited to, the following:
o a) infrastructure as a service (IaaS);
o b) platform as a service (PaaS);
o c) software as a service (SaaS).
o It is also applicable to public, private, community, and hybrid cloud deployment models.
o The applicability of ISO/IEC 20000-1 is independent of the type of technology or service model used to deliver the services. All requirements in ISO/IEC 20000-1 can be applicable to cloud service providers.
8/14/2015 Service 20000 Ltd 2015 19
ISO20000 and Devops
8/14/2015 Service 20000 Ltd 2015 20
• Devops spans entire
delivery lifecycle
• Origins in Agile
• When preparing for
service delivery and
delivering, what in
ISO20000 is not
relevant?
ISO20000 and Lean • Lean, 6-Sigma
o great ways to support continual improvement, a
key requirement of ISO20000
• The central concern of Lean is the
elimination of waste, where waste is work
that adds no value to a product or service.
• Just make sure that any proposed changes
to the SMS as a result of LEAN initiatives
retain conformity to ISO20000 requirements
8/14/2015 Service 20000 Ltd 2015 21
ISO20000 and Agile • Agile – what a great way to
work for changes, and improvements during service delivery
• If Agile has been used for development and results in some early delivery of functionality, then a decision needs to be made if this becomes subject to ISO20000
o is there any reason not to?
8/14/2015 Service 20000 Ltd 2015 22
ISO20000 and SIAM • Principle: The ISO/IEC 20000 series should be applicable to all
sizes (very small enterprises, medium and large) and types
(public, private, not for profit) of internal or external service
providers.
• Probably only very large organisations will use SIAM
• Many suppliers in SIAM models can achieve ISO20000
• The SIAM broker/lead may only operate a few processes e.g.
SLM, BRM, supplier management. They therefore are not
(currently) eligible for ISO20000
• A study group has been set up to look at the service
management and governance of services provided with
multiple suppliers. This will review the requirements for
additional standards.
8/14/2015 Service 20000 Ltd 2015 23
Not applicable? • Can you think of any service
models where ISO20000 is not
applicable?
8/14/2015 Service 20000 Ltd 2015 24
Drivers for revision • All standards reviewed every 5 years – remove,
keep as is or revise
• All management system standards are moving to a new common high level structure with some common requirements – known as Annex SL
• Changes in services market mean that the standard needs to be updated
• Lessons learned, feedback on current standard
• Other standards that are frequently used with ISO20000 have been revised and changes need to be made to retain alignment (9001 and 27001 primarily)
8/14/2015 Service 20000 Ltd 2015 26
Principles of changes • Benefit for the service providers using the standard
and the customers of the services.
• Take into account the current market for the
standard and allow that market to grow and not be
likely to decline.
• Revision should not be a fundamental change of
direction for those working towards certification or
currently certified organizations. Transition should be
relatively simple and not deter current users of
ISO20000.
8/14/2015 Service 20000 Ltd 2015 27
Expected timeline 2018 Part 1
(Requirements)
Part 10 (Concepts and
vocab)
Max. 6 months later
Part 2 (Guidance)
Part 3 (Scope and
applicability)
Max. 12 months later
Part 5 (Implementation
planning
Part 6 (requirements
for certification)
18 – 24 months later
Other parts
8/14/2015 Service 20000 Ltd 2015 28
New Annex SL structure related to PDCA
PLAN
4. Context of organization
5. Leadership
6. Planning
7. Support
DO
8. Operation CHECK
9. Performance evaluation
ACT
10. Improvement
Specific requirements from ISO/IEC 20000-1:2011
• 4 – SMS general requirements o requirements of current clause 4 are superceded by or
will be added into standard structure clauses 4 - 10
• 5 – Design and transition
• 6 – Service delivery
• 7 - Relationship
• 8 - Resolution
• 9 - Control
Will be added into standard structure clause 8 - Operation
Changes in Annex SL to current clause 4
• Organisational context
• Risk based approach – more requirements than
currently in ISO20000-1
• Objectives – not only at top level but also at
relevant functions/levels
• More requirements for monitoring, measurement,
analysis and evaluation
8/14/2015 Service 20000 Ltd 2015 31
Terms and definitions • New Annex SL terms
• Some existing terms deleted due to Annex SL same
or similar terms
• Many existing terms have suggestions for
improvement
• Some suggested additions e.g. user
8/14/2015 Service 20000 Ltd 2015 32
Other likely changes • Principle: What, not how
o E.g. budgeting and accounting to be less prescriptive still
requiring control but within the normal financial processes of the
organisation
o E.g. Remove some prescriptive requirements e.g. list of contents
of contracts, to allow for standard contracts with large service
providers and cloud providers
• Principle: Maximum 20 pages of requirements o Avoid duplication
o Combine common items together
• Principle: Minimise customisation of Annex SL text
8/14/2015 Service 20000 Ltd 2015 33
Other likely changes • Simplify DTNCS/clause 5 and relationship with
change management
• More emphasis on delivering business value to the
customer
• Interfaces with governance
8/14/2015 Service 20000 Ltd 2015 34
Integration with 9001 and 27001
• Common structure and some common
requirements
• Alignment with 27001 for information security
process
• But ensure that 20000-1 is not implying that there
needs to be an ISMS within the SMS. This will simplify
the information security requirements in 20000-1
• Review the revised 9001 edition and review for any
changes needed in 20000-1
8/14/2015 Service 20000 Ltd 2015 35
Suggested further structural changes
• Separate joint processes o Service continuity and availability
o Incident and service request
• Combine o Change and release
• Add processes (or requirements in other
clauses/processes) o Portfolio management
o Knowledge management (some requirements now added to 9001)
o Asset management
o Requirements management
• Delete o Budgeting and accounting
8/14/2015 Service 20000 Ltd 2015 36
ISO20000 future – what are your suggestions?
Lynda Cooper
8/14/2015 Service 20000 Ltd 2015 37