Transcription
September 2018Latest updateFinalStandardISO/IEC 20000-1Understanding the requirements ofISO/IEC 20000-1:2011 andISO/IEC 20000-1:2018Mapping guide
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Improve the quality of your servicedelivery with ISO/IEC 20000-1“ISO/IEC 20000-1 sends a powerful message that wehave the processes to cover the design, transition,delivery and improvement of services that fulfil ourclients’ requirements. It helps us stand out.”Leading UK-based telecommunications providerContents Comparing ISO/IEC 20000-1:2018with ISO/IEC 20000-1:2011 Making the transition Backwards compatibility Preparing your transition BSI Training2
bsigroup.comIntroductionIn today’s dynamic business environment, service delivery continues to evolve and advance,presenting new opportunities and challenges for business. As service providers, it is importantto not only make sure the appropriate services are delivered, but that they adapt and align withbusiness objectives.The update to ISO/IEC 20000-1 aims to provide a clear set of best practice requirements to helporganizations deliver consistent and robust services that continue to evolve with the demands ofusers. The anticipated benefits of ISO/IEC 20000-1:2018 include:Brings service management and servicedelivery into the heart of your businessThe updated standard helps ensure that servicemanagement is integrated and aligned with the businessstrategies of your organization. This strategic focus willresult in optimizing the performance of your servicemanagement system (SMS), making it more effective foryou and your customers.Tracks the changing trends in servicemanagementService management and service delivery are changingconstantly. The international standard needed to evolve toallow today and tomorrow’s trends to still be applicableto ISO/IEC 20000-1. The standard has been updated inseveral ways to do this.The requirements now concentrate on what to do andnot how to do it. This will make it easier to use differentmethods with ISO/IEC 20000-1 such as ITIL, Devops, Agile,Lean, SIAM, VeriSM.The commoditization of services means that it’s not alwayspossible, or desirable, to agree some items with customers.For example, agreeing a definition of an emergency change.Therefore, some changes have been made to requirementsto allow for commodity services.Less prescriptive documentationThe update has reduced the requirements fordocumentation and procedures which will providegreater flexibility, making it easier to apply to any servicemanagement system.Enables integration of management systemsIt adopts the new high-level structure applicable to allnew ISO management systems standards, making itmuch easier to implement an integrated managementsystem. The most commonly seen integrationswith ISO/IEC 20000-1 are with ISO 9001, quality,and ISO/IEC 27001, information security.Allows a smooth transition from the 2011edition to the revised editionThe effort and investment in your existing servicemanagement system is not wasted. There is a cleartransition path. There are some new requirements, a fewsimplified requirements and many of the existingrequirements remain.3
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018About this guideThis document presents a mapping between the requirements of ISO/IEC 20000-1:2011 Service Management System(SMS) and ISO/IEC 20000-1:2018. It has been designed for guidance purposes only and provides the following:1. An overview of the key changes and additions to the ISO/IEC 20000-1 requirements2. A mapping between requirements in ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:20183. The reverse mappingThe mapping tables are designed to help you further investigate the degree of correspondence between the two versionsof the standard and the different ways they express the requirements.Figure 1: The Service Management System (SMS)This looks more detailed than the previous version, because many of the processes have been separated and some newones added.Service Management SystemContext of the organizationOrganization and its context Interested Parties Scope of the SMS Establish the SMSLeadershipLeadership and commitment Policy Roles, responsibilities and authoritiesCustomers (internal and external)Planning4Risks and opportunities Objectives Plan the SMSSupport of the SMSResources Competence Awareness Communication Documented information KnowledgeServicerequirementsServicesOperation of the SMSOperational planning and controlRelationship and agreementService, design, build and transitionService portfolio Business relationship management Service level management Supplier management Change management Service design and transition Release and deployment managementSupply and demandResolution and fulfilment Budgeting and accounting forservices Demand management Capacity management Incident management Service request management Problem management Service delivery Plan the services Control of parties involvedin the service lifecycle Service catalogue management Asset management Configuration managementService assurance Service availability management Service continuity management Information security managementPerformance evaluationImprovement Nonconformity and corrective action Continual improvementMonitoring, measurement, analysis, evaluationManagement reviewInternal auditService reporting
bsigroup.comComparing ISO/IEC 20000-1:2018with ISO/IEC 20000-1:2011Overview of new and updated concepts in ISO/IEC 20000-1:2018ISO/IEC 20000-1:2018 is based on Annex SL – the new ISO high-level structure (HLS) that brings a common frameworkto all management systems. This helps to keep consistency and align different management system standards byproviding matching sub-clauses within the high-level structure and applying common terminology across all standards.The key changes are listed below:New/updated conceptCommentContext of the organizationA new clause from Annex SL which provides a greater understanding of the factorsthat can affect the organization, positively or negatively, and the interested parties(stakeholders) of the organization with their requirements for service management andthe services.New clausesRequirements have been added for Plan the services and Knowledge. Annex SL has alsoled to requirements for Planning to achieve objectives being added.Significant updatesNo clauses have been deleted but some requirements from clauses in the 2011 editionhave been moved to clauses with new titles.Some clauses have significant updates - Actions to address risks and opportunities;Establish objectives; Communication; Monitoring, measurement, analysis and evaluation;Nonconformity and corrective action. The 2011 edition clause 'Governance of processesoperated by other parties' has significant updates and has been renamed as 'Control ofparties involved in the service lifecycle.'Simplified clausesMany clauses have been simplified to concentrate on what to do, rather than detailsabout how to carry out the requirements e.g. the Budgeting and accounting for servicesprocess has been considerably simplified.Separated combined clausesClauses that were previously combined for Incident management, Service requestmanagement, Service continuity management, Service availability management, Servicelevel management, Service catalogue management, Capacity management and Demandmanagement have now been separated into individual clauses.Documented information andproceduresReduction in the number of required documents. Less prescriptive e.g. documentedavailability and capacity plans have been replaced with requirements to agree serviceavailability requirements and targets and to plan for capacity.Service reportingThe requirements to produce the actual reports are now embedded within relevantsub-clauses 8, 9 and 10.2018 Clause 9.4 has the high-level requirements for reporting in general.Service providerReplaced by Organization which is used across all standards using Annex SL.Internal groupReplaced by Internal supplier;As a result of this, the term Supplier has been replaced by External supplier.Configuration ManagementDatabase (CMDB)Replaced by Configuration information.Information security definitionAligned with the definition in ISO/IEC 27000 to enable integration with ISO/IEC 27001.As a result of this, Availability has changed to Service availability.5
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Making the transitionTable 1: Clause cross reference from ISO/IEC 20000-1:2011 to ISO/IEC 20000-1:2018This is useful if you are considering a transition project from ISO/IEC 20000-1:2011 to the new version.ISO/IEC 20000-1:20114.1Management responsibility5Leadership4.1.1Management commitment4.4Service management system5.1Leadership and commitment6.1Actions to address risks and opportunities6.2.1Establish nizational roles, responsibilities andauthorities7.4Communication4.2 nderstanding the needs and expectations ofUinterested parties5.3 rganizational roles, responsibilities andOauthorities8.1Operational planning and control8.2.2Plan the services8.2.5Asset management8.2.3Control of parties involved in the servicelifecycle4.1.24.1.34.1.4Service management policyAuthority, responsibility and communicationManagement representative4.2Governance of processes operated by otherparties8.1Operational planning and control4.3Documentation management7.5Documented information4.3.1Establish and maintain documents7.5.1General7.5.4Service management system documentedinformation7.5.2Creating and updating documented information7.5.3Control of documented information4.3.26ISO/IEC 20000-1:2018Control of documents4.3.3Control of records7.5.3Control of documented information4.4Resource management7.1Resources7.2Competence4.4.1Provision of resources7.1Resources4.4.2Human resources7.2Competence7.3Awareness
bsigroup.comTable 1 – ContinuedISO/IEC 20000-1:20114.5Establish and improve the SMSISO/IEC 20000-1:20184Context of the organization6Planning8Operation of the service management system9Performance evaluation10Improvement4.5.1Define scope4.3Determining the scope of the servicemanagement system4.5.2Plan the SMS (Plan)6.1Actions to address risks and opportunities6.3Plan the service management system4.4Service management system8.1Operational planning and control8.2.1Service delivery4.5.3Implement and operate the SMS (Do)4.5.4Monitor and review the SMS (Check)9 Performance evaluation4.5.4.1General9.1Monitoring, measurement, analysis andevaluation9.2Internal audit9.3Management review9.2Internal audit10.1Nonconformity and corrective action4.5.4.2Internal audit4.5.4.3Management review9.3Management review4.5.5Maintain and improve the SMS (Act)10Improvement4.5.5.1General10.1Nonconformity and corrective action10.2Continual improvement4.5.5.2Management of improvements10.2Continual improvement5Design and transition of new or changedservices8.5.2Service design and transition5.1General8.5.1.2Change management initiation5.2Plan new or changed services8.2.2Plan the services8.2.3Control of parties involved in the servicelifecycle8.5.2.1Plan new or changed servicesDesign and development of new or changedservices8.5.2.2Design8.5.2.3Build and transition5.4Transition of new or changed services8.5.2.3Build and transition6Service delivery processes8Operation of the service management system6.1Service level management8.3.3Service level management8.2.4Service catalogue management8.3.4.2Management of internal suppliers andcustomers acting as a supplier5.37
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Table 1 – ContinuedISO/IEC 20000-1:20116.26.38.3.2Business relationship management8.3.3Service level management8.5.2.3Build and transition8.6.1Incident management8.7.2Service continuity management9.2.2Internal audit9.4Service reporting10.1.2Nonconformity and corrective actionService continuity and availability management 8.7.1Service availability management8.7.2Service continuity management6.3.1Service continuity and availability requirements 8.7.2Service continuity management6.3.2Service continuity and availability plans8.5.1.3 Change management activities8.7.1Service availability management6.3.3Service continuity and availability monitoringand testing8.7.2Service continuity management6.4Budgeting and accounting for services8.4.1Budgeting and accounting for services6.5Capacity management8.4.2Demand management8.4.3Capacity management6.6Information security management8.7.3Information security management6.6.1Information security policy6.1Actions to address risks and opportunities8.7.3.1Information security policy6.6.2Information security controls8.7.3.2Information security controls6.6.3Information security changes and incidents8.5.1.3Change management activities8.7.3.3Information security incidents7Relationship processes8.3Relationship and agreement7.1Business relationship management4.2Understanding the needs and expectations ofinterested parties8.3.2Business relationship management8.3.1Relationship and agreement, General8.3.4.1Management of external suppliers7.28Service reportingISO/IEC 20000-1:2018Supplier management8Resolution processes8.6Resolution and fulfilment8.1Incident and service request management8.6.1Incident management8.6.2Service request management8.2Problem management8.6.3Problem management9Control processes8.2.6Configuration management8.5Service design, build and transition
bsigroup.comTable 1 – ContinuedISO/IEC 20000-1:20119.19.29.3Configuration managementChange managementRelease and deployment managementISO/IEC 20000-1:20188.2.6Configuration management8.5.3Release and deployment management8.1Operational planning and control8.5.1.1Change management policy8.5.1.2Change management initiation8.5.1.3Change management activities8.5.1.3Change management activities8.5.3Release and deployment management9
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Backwards compatabilityTable 2: Clause cross reference from ISO/IEC 20000-1:2018 to ISO/IEC 20000-1:2011For checking ‘backwards compatibility’, between new and old systems; if you are designing your Service ManagementSystem from new, but need to understand how the system might be compatible with other earlier versions of the system(e.g. on other sites, elsewhere in a corporate group or supply chain etc.).ISO/IEC 20000-1:201810ISO/IEC 20000-1:20114Context of the organization4.1Understanding the organization and itscontext4.2Understanding the needs and expectations ofinterested parties4.1.47.1Management representativeBusiness relationship management4.3Determining the scope of the servicemanagement system4.5.1Define scope4.4Service management system4.1.14.5.3Management commitmentImplement and operate the SMS (Do)5Leadership4.1Management responsibility5.1Leadership and commitment4.1.1Management commitment5.2Policy4.1.2Service management policy5.2.1Establishing the service management policy4.1.2Service management policy5.2.2Communicating the service managementpolicy4.1.2Service management policy5.3Organizational roles, responsibilities andauthorities4.1.34.1.4Authority, responsibility and communicationManagement representative6Planning4.1.14.5.26.6.1Management commitmentPlan the SMS (Plan)Information security policy6.1Actions to address risk and opportunities4.1.14.5.26.6.1Management commitmentPlan the SMS (Plan)Information security policy6.2Service management objectives and planningto achieve them4.1.1Management commitment6.2.1Establish objectives4.1.1Management commitment6.2.2Plan to achieve objectives6.3Plan the service management system4.5.2Plan the SMS (Plan)7Support of the service management system4.14.34.4Management responsibilityDocumentation management4.14.5.14.5.27.1Management responsibilityDefine scopePlan the SMS (Plan)Business relationship managementNew clauseNew clauseResource management
bsigroup.comTable 2 – ContinuedISO/IEC 20000-1:2018ISO/IEC 20000-1:20117.1Resources4.4.1Provision of .1.14.1.24.4.2Management commitmentService management policyHuman resource7.4Communication4.1.3Authority, responsibility and communication7.5Documented information4.3Documentation management7.5.1General4.3.1Establish and maintain documents7.5.2Creating and updating documentedinformation4.3.2Control of documents7.5.3Control of documented information4.3.24.3.3Control of documentsControl of records7.5.4Service management system documentedinformation4.3.1Establish and maintain documents7.6Knowledge8OperationNew clause4567898.1Operational planning and control4.1.44.24.5.39.28.2Service portfolioService management system generalrequirementsDesign and transition of new or changedservicesService delivery processesRelationship processesResolution processesControl processesManagement representativeGovernance of processes operated by otherpartiesImplement and operate the SMS (Do)Change management4.5.35.26.19.1Management representativeGovernance of processes operated by otherpartiesImplement and operate the SMS (Do)Plan new or changed servicesService level managementConfiguration management4.1.44.28.2.1Service delivery4.5.3Implement and operate the SMS (Do)8.2.2Plan the services4.1.45.2Management representativePlan new or changed services8.2.3Control of parties involved in the servicelifecycle4.2Governance of processes operated by otherpartiesPlan new or changed services5.211
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Table 2 – ContinuedISO/IEC 20000-1:2018ISO/IEC 20000-1:20118.2.4Service catalogue management6.1Service level management8.2.5Asset management4.1.4Management representative8.2.6Configuration management9.1Configuration management8.3Relationship and agreement6.16.27Service level managementService reportingRelationship processes8.3.1General7.2Supplier management8.3.2Business relationship management6.27.1Service reportingBusiness relationship management8.3.3Service level management6.16.2Service level managementService reporting8.3.4Supplier management6.17.2Service level managementSupplier management8.3.4.1Management of external suppliers7.2Supplier management8.3.4.2Management of internal suppliers andcustomers acting as a supplier6.1Service level management8.4Supply and demand6.46.5Budgeting and accounting for servicesCapacity management8.4.1Budgeting and accounting for services6.4Budgeting and accounting for services8.4.2Demand management6.5Capacity management8.4.3Capacity management6.5Capacity management8.5Service design, build and transition5Design and transition of new or changedservicesControl processes98.5.1Change management5.16.36.69.2Design and transition of new or changedservices, GeneralService continuity and availability managementInformation security managementChange management8.5.1.1Change management policy9.2Change management8.5.1.2Change management initiation5.1Design and transition of new or changedservices, GeneralChange management9.28.5.1.3Change management activities6.3.26.3.39.29.38.5.2Service design and transition56.212Service continuity and availability plansService continuity and availability monitoringand testingChange managementRelease and deployment managementDesign and transition of new or changedservicesService reporting
bsigroup.comTable 2 – ContinuedISO/IEC 20000-1:2018ISO/IEC 20000-1:20118.5.2.1Plan new or changed services5.2Plan new or changed services8.5.2.2Design5.3Design and development of new or changedservices8.5.2.3Build and transition5.35.46.2Design and development of new or changedservicesTransition of new or changed servicesService reporting8.5.3Release and deployment management9.19.3Configuration managementRelease and deployment management8.6Resolution and fulfilment8.18.2Incident and service request managementProblem management8.6.1Incident management6.28.1Service reportingIncident and service request management8.6.2Service request management8.1Incident and service request management8.6.3Problem management8.2Problem management8.7Service assurance6.36.6Service continuity and availability managementInformation security management8.7.1Service availability management6.3Service continuity and availability management8.7.2Service continuity management6.26.3Service reportingService continuity and availability management8.7.3Information security management6.6Information security management8.7.3.1Information security policy6.6.1Information security policy8.7.3.2Information security controls6.6.2Information security controls8.7.3.3Information security incidents6.6.3Information security changes and incidents9Performance evaluation4.5.46.2Monitor and review the SMS (Check)Service reporting9.1Monitoring, measurement, analysis andevaluation4.5.4.1Monitor and review the SMS (Check), General9.2Internal audit4.5.4.14.5.4.26.2Monitor and review the SMS (Check), GeneralInternal auditService reporting9.3Management review4.5.4.14.5.4.3Monitor and review the SMS (Check), GeneralManagement review9.4Service reporting6.2Service reporting10Improvement4.5.5Maintain and improve the SMS (Act)10.1Nonconformity and corrective action4.5.4.24.5.5.16.2Internal auditMaintain and improve the SMS (Act), GeneralService reporting10.2Continual improvement4.5.5.14.5.5.2Maintain and improve the SMS (Act), GeneralManagement of improvements13
ISO/IEC 20000-1 – Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018Preparing for ISO/IEC 20000-1:2018Six steps for a successful transitionDon’t delay – start todayBSI has identified a step-by-step journey to help you understand and realize the benefits of the revisedISO/IEC 20000-1. We have mapped out a framework which guides you through the options and supportavailable from BSI to ensure you have the knowledge and information you require.1Talk to your BSI Client Manager4 Discuss your challenges and timelines Review the latest content on the BSI website Create an implementation plan and monitorprogress Take a fresh look at your service managementfor background informationsystem Buy your copy of ISO/IEC 20000-12 Implement the new requirements on leadership, riskAttend BSI’s Training Academyand context of the organization Delivered by experts, understand the newrequirements faster and in greater detail byattending one of our training courses3 Adapt your documentation to reflect the newstructure5Communicate with your organizationour experts to complete a gap analysis to identifyyour strengths and weaknesses. This will then helpyou prepare for Step 6requirements Communicate the revision to your wider Send regular updates on progressGap assessment To help you prepare for ISO/IEC 20000-1 we can use Talk to your leadership team about the neworganization to gain buy inSet up an internal project team6Transition assessment Working with your BSI client manager you cancomplete your transition to the new standard beforethe deadline in September 2021ISO/IEC 20000-1 transition timeline2018September 2018New ISO publication1420192020September 2018Start of three year transition period to September 20212021
Training from BSIWhatever your specific requirements, BSI has developed a series of training courses to meet your needs.Designed by experts who have been directly involved in the development of ISO/IEC 20000-1, ourexperienced tutors can help you get to grips with the matters that concern you. These ISO/IEC 20000-1:2018courses include:ISO/IEC 20000-1:2018 – TransitionISO/IEC 20000-1:2018 – Auditing the changes1 day classroom based training course1 day classroom based training course L earn about the new ISO high level structure and therevised requirements of ISO/IEC 20000-1:2018 Prepare to audit the changes in ISO/IEC 20000-1:2018 E ssential for anyone, from managers to implementersand auditors, involved with transitioning their servicemanagement system from ISO/IEC 20000-1:2011 to therevised ISO/IEC 20000-1 E ssential for anyone involved with auditing the changesto a service management system F or anyone who has already attended ourISO/IEC 20000-1:2018 transition course or half dayseminar, who will audit the changesISO/IEC 20000-1:2018 – Implementing thechanges1 day classroom based training course L earn about how to implement the changes inISO/IEC 20000-1:2018Find out more: bsigroup.com E ssential for anyone involved with implementing thechanges to a service management system F or anyone who has already attended ourISO/IEC 20000-1:2018 transition course or half dayseminar, who needs to implement the changes15
Why BSI?BSI has been at the forefront of ISO/IEC 20000-1 since the start. Originally based on BS 15000,developed by BSI in 2000, we’ve been involved in its development and the ISO technical committeeever since. That’s why we’re best placed to help you understand the standard.At BSI we create excellence by driving the success of our clients through standards. We helporganizations to embed resilience, helping them to grow sustainably, adapt to change, and prosperfor the long term. We make excellence a habit.To learn more, please visit: bsigroup.comFind out moreCall: 44 (0)345 080 9000Visit: bsigroup.comCopyright 2018, The British Standards Institution. All rights reserved.BSI is the business improvement company that enables organizations to turn standards of best practiceinto habits of excellence. For over a century BSI has championed what good looks like and driven bestpractice in organizations around the world. Working with over 86,000 clients across 193 countries, it isa truly international business with skills and experience across a number of sectors including automotive,aerospace, built environment, food, and healthcare. Through its expertise in Standards Development andKnowledge Solutions, Assurance and Professional Services, BSI improves business performance to helpclients grow sustainably, manage risk and ultimately be more resilient.BSI/UK/1392/SC/0618/EN/GRPAbout BSI
ISO/IEC 20000-1 - Understanding the requirements of ISO/IEC 20000-1:2011 and ISO/IEC 20000-1:2018 4 About this guide This document presents a mapping between the requirements of ISO/IEC 20000-1:2011 Service Management System (SMS) and ISO/IEC 20000-1:2018. It has been designed for guidance purposes only and provides the following: 1.
