Transcription
The ISO/IEC 20000Service ManagementHandbookTraining – Implementation – CertificationJenny Dugmore
First published in the UK in 2012byConnectSphereBusiness and Technology CentreBessemer DriveStevenageHertfordshire SG1 2DXUKwww.connectsphere.com ConnectSphere LimitedThe moral right of the author has been asserted.All rights reserved. Except as permitted under the Copyright, Designs and Patents Act1988, no part of this publication may be reproduced, stored in a retrieval system ortransmitted in any form or by any means – electronic, photocopying, recording orotherwise, without prior permission in writing from the copyright owner and publisher.Whilst every care has been taken in developing and compiling this publication,ConnectSphere accepts no liability for any loss or damage caused, arising directly orindirectly in connection with reliance on its contents except to the extent that such liabilitymay not be excluded in law.Printed in Great Britain by ConnectSphere.ISBN 978-1-908772-04-6
The ISO/IEC 20000 Service Management HandbookContentsThis handbook and ISO/IEC 20000. 1Chapter 1 What is the 20000 series? . 3Chapter 2 Close links to the 20000 series . 5Chapter 3 The first steps in implementing Part 1 . 7Chapter 4 Continual improvement: Plan-Do-Check-Act . 13Chapter 5 The Part 1 requirements summarized . 15Chapter 6 Certification and qualification schemes . 21Chapter 7 Differences between Part 1:2005 and Part 1:2011 . 23Annex AThe Part 1 collections . 29Annex BChecklist of documents, records and evidence . 37Bibliography and other sources of information . 43
The ISO/IEC 20000 Service Management HandbookThis handbook and ISO/IEC 20000The service management industry recognizes that there must be consistently highstandards in how services are delivered. It also recognises that technology-basedservices are normally reliant on the contribution of several organizations, across a supplychain. ISO/IEC 20000, a multi-part series of International Standards and TechnicalReports on service management, is the result of this recognition.ISO/IEC 20000 originated in the UK as BS 15000, from work that started in the late1980s. The two parts of BS 15000 were the world's first service management standards.Following an early adopters' scheme and publication of a second edition, the two-partBS 15000 became the two-part ISO/IEC 20000 in 2005. Both parts of ISO/IEC 20000were published in English and then translated into several other languages. Both partshave now been revised and re-published. The 20000 series has also been extended.Adopting ISO/IEC 20000 means an organization has increased credibility, greater controland reduced costs. It contributes to compliance with regulatory and statutoryrequirements and contractual obligations. Using ISO/IEC 20000 means servicemanagement is based on tried and tested industry best practices, saving time andmoney.The general principles of ISO/IEC 20000 apply to a very broad base of organizations witha variety of forms, interests and circumstances. Consequently, different organizationsimplement service management in ways that differ at a detailed level, but the general bestpractice principles remain the same across these organizations. This means delivery ofservices is not reliant on a confused mixture of practices and processes across a supplychain.This handbook covers the key points in ISO/IEC 20000, in particular the requirements fora service management system specified in ISO/IEC 20000-1.This handbook provides support for anyone with an interest in service management. It willbe of interest to those responsible for service management being implemented orimproved and those preparing for a certification audit. It will also be helpful to customersand procurement departments who wish to have better services at reduced costs.It will be of use as an aide-memoire; particularly for those preparing for an examination,but it is not a substitute for the actual ISO/IEC 20000.Other handbooks will be available in 2012. They include information security, specific1advice on the use of ITIL to achieve Part 1 requirements, governance of IT, informationsecurity and customer satisfaction management.1ITIL is a Registered Trade Mark of the Cabinet Office.1
The ISO/IEC 20000 Service Management Handbook2
The ISO/IEC 20000 Service Management HandbookChapter 1What is the 20000 series?ISO/IEC 20000 is now a five part '20000 series', with other parts planned. As describedbelow, Parts 1 to 5 are published and Parts 7, 10 and 11 are under development. Parts 6,8 and 9 are reserved for future projects.The core of the 20000 series remains ISO/IEC 20000-1, a set of requirements for aservice management system (SMS) that can be used as the basis of an audit.ISO/IEC 20000-1 is also known as ‘Part 1'.All current International Standards are framework independent. However, ISO/IEC 20000is sometimes referred to as ‘the ITIL standard’. The synergy between ISO/IEC 20000 andITIL means that the growth in the use of ITIL is mirrored by the growth in the use ofISO/IEC 20000. ITIL and the 20000 series are owned by different organizations and aredeveloped over different timescales, using different approaches. As a result, althoughthey each add value to the other, there are inevitably some differences. The keydifferences are summarised at the end of Chapter 3.Part 1: The requirements (the ‘shalls’)Part 1 requirements are based on the verb 'shall', they are the 'must do's'. The Part 1requirements are for an SMS as an effective method of delivering a service, continualimprovement and service management.Part 1 is rarely used standalone. It can be likened to a recipe without instructions for howthe ingredients are to be used. The rest of the 20000 series (and ITIL) provide theguidance on how to plan, design, implement and operate a Part 1 SMS.Neither the guidance in the 20000 series nor ITIL can change the Part 1 requirements.Conflict in the interpretation of requirements should be resolved by reference to Part 1.This handbook refers to the 2011 edition of Part 1 and includes a summary of the keydifferences between the 2005 and 2011 editions, in Chapter 7.Part 2: Guidance on application of SMSThe second edition, published in 2012, explains each Part 1 requirement using practicalexamples, i.e. what to do with the ingredients in the Part 1 recipe.Part 3: Guidance on scope and applicabilityThe 2009 first edition of Part 3 is a Technical Report with scenario-based guidance onhow to define the scope of an SMS. Part 3 also provides guidance on scope statementsfor certificates awarded following a successful independent audit. It is useful for internaland external auditors. It is also useful for those designing a new or changed service thataffects the scope of an established SMS.Part 3 is under revision to align with the 2011 edition of Part 1. The second edition ofPart 3 will be an International Standard instead of a Technical Report.3
The ISO/IEC 20000 Service Management HandbookPart 4: Process reference model (PRM)'Will we ever achieve Part 1?' can be a daunting question. In contrast, someorganizations wish to go 'beyond 20000'. As a result, there is interest in multi-levelassessment models that span the most basic to an SMS that exceeds Part 1requirements.Part 4 is a process reference model. It has been developed to act as the basis of aprocess assessment model to be published as ISO/IEC TS 15504-8. Part 4 is of most useto those interested in multi-level assessments.Part 5: Exemplar implementation plan for Part 1Part 5 was published in 2010 in response to questions such as: 'How do we implementPart 1?' It is a general purpose plan for 'what to do first, what to do next and what to dolast' when implementing Part 1. It includes guidance on topics such as business casesand effective policies.The second edition of Part 5 will include more on governance of processes, managementof internal groups and customers acting as suppliers, as well as the service provider'searly involvement in projects that will lead to changes to services.Part 5 is of most use to those involved in implementing an SMS, or making a majorchange to the SMS or services, including continual improvements.Part 7: Application of Part 1 to the cloud (under development)Part 1 is applicable to all technology-enabled services. Part 7 will give guidance to thoseapplying Part 1 to services delivered by cloud technology.Part 10: Concepts and terminology (under development)Part 10 explains the context of Part 1: relationships to the 20000 series, other standards,methods and frameworks. All the special terms currently defined only in Part 1 will also bein Part 10, for easier use across the whole 20000 series.Part 11: Mapping of Part 1 and ITIL (under development)Part 11 is being developed in response to market research into what the servicemanagement industry wants: 'How do ISO/IEC 20000 and ITIL align?’ This is a newinitiative for the International Organization for Standardization (ISO). ISO does notnormally publish documents that include another organization's copyright.Part 11 is a Technical Report partly because of the different revision cycles of the 20000series and of ITIL. The different cycles mean the contents of Part 11 will have to beupdated more frequently than is usual for an International Standard. Publication of aTechnical Report takes approximately half the time required for an International Standard.Part 11 will be followed by the mapping of Part 1 to other non-ISO standards, methodsand frameworks, depending on future market research.4
The ISO/IEC 20000 Service Management HandbookChapter 2Close links to the 20000 seriesThe 20000 environmentA number of standards, methods and frameworks are not part of the 20000 series, butare linked to it and can enhance the use of the series. Several of these are shown in thefigure below with the most closely linked also described in the text in Figure 1.Figure 1 – ISO/IEC 20000 and other standards, method and frameworksISO/IEC 27013, Guidance on the integrated implementation ofISO/IEC 27001 and ISO/IEC 20000-1 (under development)This guidance document is due for publication in late 2012. It is a practical summary ofrequirements in ISO/IEC 27001, Information security management systems –Requirements and in Part 1.It provides guidance on establishing an integrated management system based on bothstandards. Although ISO/IEC 27013 is part of the 27000 series, the contents are equallyweighted to both standards.Integrated is the term used where the common features of both standards areimplemented once. This goes well beyond the overlap of Part 1, Clause 6.6 oninformation security management with ISO/IEC 27001.Many of the information security controls in ISO/IEC 27001 are similar to therequirements in Part 1. Although terms and definitions are often different, manyrequirements have a common intent across both standards. ISO/IEC 27013 helps thereader understand where one standard can be used to strengthen the other.5
The ISO/IEC 20000 Service Management HandbookISO/IEC TS 15504-8: An exemplar assessment model for IT servicemanagement (under development)This is the process assessment model (PAM) based on Part 4 of the 20000 series,referred to in Chapter 1. It a Technical Specification rather than an InternationalStandard.It will enable implemented processes in Part 1 to be assessed according to therequirements of ISO/IEC 15504-2, Information technology — Process assessment —Performing an assessment. ISO/IEC 15504-2 is the standard that defines how processesare assessed. It will be useful for determining capability.ISO/IEC TS 15505-8 gives more detail on service management process performance andcapability than Part 1.ISO/IEC TS 15504-8 splits the Part 1 processes and the process attributes across levels.The lowest level is where there are serious defects in the service management. There islittle or no formality, inadequate documentation and neither process integration norcontinual improvement is effective.At the highest level, there is a very high quality of management, service management andoptimization of processes.ISO/IEC 19770: Software asset management – Parts 1 and 2ISO/IEC 19770-1: ProcessesThis standard is a set of detailed requirements for software asset management (SAM).The standard is designed to enable an organization to prove that SAM satisfies corporategovernance requirements. It provides effective support for service management overall.ISO/IEC 19770-2: Software identification tagISO/IEC 19770-2 is a detailed subset of the full ISO/IEC 19770-1. It provides a SAM datastandard for software identification (SWID) tags. SWID tags give identification informationfor software or other licensable digital items, such as fonts or copyrighted papers.Other parts of the 19770 series are under development.ISO/IEC TR 90006: Application of ISO 9001 applied to servicemanagement (under development)This Technical Report is targeted at the users of ISO 9001. It will provide guidance for theapplication of ISO 9001 requirements to the processes and activities covered by ISO/IEC20000-1.Others in this series include ISO/IEC 90003, which is guidance for the application of ISO9001 to the acquisition, supply, development, operation and maintenance of computersoftware and related support services.6
The ISO/IEC 20000 Service Management HandbookChapter 3The first steps in implementing Part 1Understanding service management systemsAll organizations have some form of management system – at its simplest it is how anorganization is managed. Regrettably, some management systems are ineffective.Typically, they lack management direction, are variable in operation and have too littledocumentation. In these organizations, the managers are usually too busy dealing withcrises to actually manage people, processes or technology.An SMS is broadly applicable to all aspects of managing a service. The servicemanagement processes distinguish Part 1 from other management systems. The Part 1requirements for and SMS are summarised in Annex A.The SMS is how the service provider achieves overall control of everything used todeliver and control technology-based services. An SMS includes some aspects ofgovernance. Despite being a 'management system', it is far from being 'only what themanagers do'. It covers the full spectrum of roles and responsibilities of top managementto the most junior personnel. The 20000 series uses 'top management' for the highestlevel of managers in the service provider organization.The components of the SMS range from the specialized back office processes, such asconfiguration management, through to the front office business relationship managementprocess. The SMS encompasses short-term reactive processes such as incidentmanagement through to long-term proactive activities such as service continuitymanagement and continual improvement (Figure 2).Figure 2 – Components of the SMSChecking the scopeAn SMS can be established as a completely new initiative, without reuse of a serviceprovider's existing practices, documents or records. This is a relatively rare event.Usually, the more cost-effective and faster approach is to reuse as much as possible. Forexample, it is common for processes to be performed at a high standard by dedicated7
The ISO/IEC 20000 Service Management Handbookpersonnel, but with each process operating in isolation. Cooperative working andintegration of the processes in Part 1 is fundamental to the success of an SMS.Reusing what is good involves a review of what is present – good and bad. This is areview of what is actually done as well as what is documented.A gap analysis comparing reality to the requirements for an SMS in Part 1 is an importantearly step, as described below. The list of documents and records relevant to Part 1 givenin Annex B will be helpful for this. Another early step is a check that the scope of theservice provider's activities is appropriate for Part 1. For example, are all the processes inPart 1 implemented?Service delivery may rely on processes operated by other parties. When this is the case,the service provider should be in full control of the supply chain and in particular theprocesses operated by other parties. This might sound like a statement of the glaringlyobvious – but it is regrettably common for service providers to agree a contract with asupplier that leaves them with little control of what and how the service provider delivers aservice. How the supply chain affects scope definition is also explained in Chapter 7. Anexample supply chain relevant to the 20000 series is shown in Figure 3.Figure 3 – A simple example of a supply chainThe processes do not need to have the names used in Part 1. Nor does the serviceprovider need to subdivide service management in the same way as Part 1. For example,incident and service request management can be two separate processes or evencombined with another process.Smaller organizations usually combine processes or allocate responsibility for severalprocesses to one manager. Typically this when there are more processes than managers.This is entirely acceptable for Part 1 and can be a very practical solution.The service provider should discuss the scope of the SMS with their auditor. If the auditorbelieves the scope is inadequate for certification under Part 1, the service provider stillhas options for use of Part 1:a. Change the scope to conform to Part 1. For example, ensuring the service providerhas control of all processes, even if they are operated by another party and even ifthis involves changing a contract with a supplier.b. Continue to use Part 1 as a goal for the quality of service management, includingmanagement involvement and responsibilities. Rely on internal audits instead ofcertification audits by third parties.8
The ISO/IEC 20000 Service Management HandbookGap analysis – Checking the processesThe nature of a gap analysis based on Part 1 depends on where the service provider ison a spectrum of chaotic through to highly effective.Where chaos is the norm the gap will be large. The gap analysis will be dependent onchecking what people actually do because little will be documented or, if there isdocumentation, the processes and procedures are not followed in practice.Where service management is effective, the gap analysis reviews the documents andrecords and checks that these match reality. There will be reports from managementreviews and internal audits. There may be a documented quality manual suitable as thebasis for an SMS manual.Many effective organizations implement an information security management system(ISMS) based on ISO/IEC 27001. Where this is the case, the ISMS can be extended andadapted to incorporate Part 1 requirements, as will be described by ISO/IEC 27013.Understanding the gapOnce the gap has been documented, the implications of the gap should be understood.At this stage, it can be helpful to remind those interested, and, in particular, the topmanagement, that fulfilling the requirements of Part 1 is not just an overhead required to'get the certificate'.Top management might need reminding that adopting Part 1 improves the service,customer satisfaction and can save a great deal of money. For example, Part 1 isdominated by proactive processes that prevent service loss, reduce the need to fixproblems and therefore reduce the overheads required to deliver the service.Designing the SMS – top-down approachThe starting point for designing an SMS is setting expectations that there will beinvolvement by top management and that policies will be used to provide topmanagement direction. This is illustrated in Figure 4, below.Figure 4 – Policy, process and procedures supporting objectives9
The ISO/IEC 20000 Service Management HandbookPlanning and prioritiesIt is important to plan so that benefits are seen early on. This quick win approach can alsomean that efficiency savings from the early improvements help fund the laterimprovements. The earlier improvements will also make it easier to gain approval forcapital expenditure, e.g. for better service management tools for later improvements.It is also important to consider how the changes will be seen by the service provider'spersonnel, customers and suppliers.The service provider's personnel are essential to successful change. Their concerns andneeds should be considered very carefully. Every individual, even the very topmanagement at the highest level of the organization, wants to know 'what does it meanfor me?'Working through this carefully will result in a much easier programme of changes.Personnel that support the changes will make them happen – those that do not can beobstructive and prevent or delay the whole programme.Customers can be wary ofservice improvementprogrammes, especially ifearlier improvementsfailed.I've heard all this before. It didn’t workthen, why should it work this time?Now I see why it’s worthdoing!Quick wins can be very encouragingto the more cynical or those worriedabout the scale of changes that willbe necessary.A supplier might consider it unsuitable for the service provider to have the level of controlrequired by Part 1. This is typically if the service they contribute is also shared by manydifferent organizations. Under these circumstances contract renegotiations between theservice provider and supplier can be slow and complicated (or fast and expensive).It is important to schedule the changes to avoid a clash with other significant events, e.g.those faced by the customers who use the service, the service provider and any keysuppliers or internal groups that the service provider relies on. Seasonal peaks in activityshould also be considered so that very busy periods can be avoided.Service management process designWhen designing the SMS and processes the service provider should take into accountthat it should be in control of all processes in Part 1, Clauses 4 to 9. This is the case evenif parts of processes or whole processes are operated by other parties.10
The ISO/IEC 20000 Service Management HandbookImplementing and sustaining the changesThe implementation of the SMS should be based on a fully worked plan covering all thechanges necessary. The method selected does not matter as long as it is effective and itis used properly. Resources, timescales, risks and business priorities should all be takeninto account.Key steps are:a. overall planning and design of the management system;b. implementation of processes and procedures;c. refinement and completion of process integration;d. consolidation and continual improvement.Part 5 of the 20000 series can help with this. Part 5 describes phases to achieve the fullrequirements of Part 1 (Figure 5). The phases can be adapted to meet the serviceprovider's particular circumstances.A commonly used approachis for initial implementationto be for an SMS thatcovers only one service orone location. The scope isthen extended by addingservices or locations. Eachextension to scope can gothrough the three phasesadvised by Part 5. Eachtime it will be easierbecause the SMS is morefirmly established.Figure 5 – A phased approach (Part 5)Introducing new or changed servicesPart 1, Clause 5 requires a service provider to be aware, involved and in control of anywork that will affect or change the services it delivers. This is particularly the case forhigher risk changes to the service. Part 1 requires these to be managed by both Clause 5and the Clause 9 control processes: configuration, change, and release and deploymentmanagement.Part 1, Clause 5 requires proposed new or changed services to be comprehensivelyassessed, planned and carefully designed. Each stage in the Clause 5 process includeschecks on how well each stage has been done. This prevents the new or changedservices being implemented in the live environment without proper testing and theapplication of quality criteria.Finally, when all requirements have been met, the new or changed service is moved intothe live environment. Part 1 refers to this as 'transition'.11
The ISO/IEC 20000 Service Management HandbookUsing ITIL as a route to Part 1It is possible to use a wide variety of routes to achieving certification, but the majorityof organizations do so after adopting ITIL. Figure 6, with variations, is widely used toshow the relationship between the 20000 series and ITIL. ITIL is a set of guidelineswhile Part 1 is a set of requirements, or 'must do's'. The guidance in Part 2 onwards isspecific to Part 1. ITIL is more broadly based.Figure 6 – The service management pyramidAlthough broadly similar it is helpful to be aware that the key differences between the20000 series and ITIL include:a. differences in emphasis and level of detail;b. minor differences in terminology;c. grouping of activities within processes or of processes being combined;d. event management in ITIL is not directly reflected in Part 1;e. the ITIL improvement process is strongly aligned to the Plan-Do-Check-Act cyclein Part 1, but is based on seven steps, nor the four in Part 1;f. service continuity and availability management are combined in one clause inPart 1, but are separate in ITIL;g. knowledge management is not explicitly included in Part 1, but it links to severalrequirements for use of information and service reports;h. service portfolio is not a requirement in Part 1, although some aspects of businessrelationship management link to the business understanding required for aportfolio;i. Part 1 has no requirements for charging, because this is not universal;j. ITIL has no direct equivalent to governance of processes operated by otherparties, although much of this maps to ITIL supplier management;k. management of internal groups and customers (acting as suppliers) also maps tosupplier management in ITIL, more so than to service level management, asrequired by Part 1.The relationship between ITIL and the 20000 series is to be covered by the new Part 11,as described in Chapter 1. Sources of additional advice are listed in the Bibliography andother sources of information.12
The ISO/IEC 20000 Service Management HandbookChapter 4Continual improvement: Plan-Do-Check-ActThe SMS includes continual improvement, based on a repeating cycle of Plan-Do-CheckAct. After the SMS has been established, the PDCA cycle is used to monitor the overallperformance of the SMS and services. This includes a check against requirements,identification and implementation of improvements. A PDCA cycle is shown in Figure 7.The four PDCA stages are eachprocesses that are part of the SMS. ThePDCA cycle is applied both to the SMSand to the services the SMS delivers.The final stage of each full PDCA cyclemakes sure the planned improvementshave been made and that they have hadthe expected effect. If not, action isnecessary.The PDCA cycle is repeated so that witheach cycle the SMS and servicesimprove.PDCA is particularly important whenservice requirements change, thecustomer’s business changes or theservice provider goes through a majorchange. When this is the case, thePDCA cycle should be more frequent.Figure 7 – PDCAOverall controlThe PDCA is in overall control of all improvements to the SMS and services, including theimprovements identified and implemented within service management processes.It is possible to use information from any process to identify opportunities forimprovements. This can be handled locally, as long as it remains under the overall controlof the SMS. Alternatively, an improvement is managed directly by PDCA. Many serviceimprovements are the result of improvements in processes and procedures.A driving force for the SMS is a set of policies that provides top management direction.Combined with the service requirements and the service management objectives, thepolicies provide goals for the SMS and the service provider's managers and otherpersonnel.The PDCA cycle is no exception to the role of policies. Part 1 requires a policy oncontinual improvement of the SMS and the services. The policy is also required to includeevaluation criteria so that opportunities for improvements are assessed on an appropriatebasis.13
The ISO/IEC 20000 Service Management HandbookPart 1 also requires a policy to be underpinned by processes. Processes are in turnunderpinned by procedures that cover all aspects of managing improvements.Emphasis is on the importance of improving the SMS and services, including the need forevidence that top management are committed to continual improvement. This issupported by a requirement for reports to be given to top management on theperformance and opportunities for improvement to the SMS and the services.An important element of the PDCA cycle is that management are required to reviewopportunities for improvement and the need for changes to the SMS. This includesimprovements and other changes to the policy and objectives for service management.Similarly, internal audits are an important part of the Check stage of PDCA. Internalaudits are used to identify improvements as part of PDCA.Opportunities for improvementThere are specific references to service management processes identifying opportunitiesfor improvement.Service level management: Trends and performance against service targets. This applies to the activities of theservice provider, internal groups
the ingredients are to be used. The rest of the 20000 series (and ITIL) provide the guidance on how to plan, design, implement and operate a Part 1 SMS. Neither the guidance in the 20000 series nor ITIL can change the Part 1 requirements. Conflict in the interpretation o
