The ISO/IEC 20000 Service Management Handbook · 2018. 11. 16. · ISO/IEC TS 15504-8: An exemplar...

The ISO/IEC 20000

Service Management

Handbook

Training – Implementation – Certification

Jenny Dugmore

First published in the UK in 2012

by

ConnectSphere

Business and Technology Centre

Bessemer Drive

Stevenage

Hertfordshire SG1 2DX

UK

www.connectsphere.com

© ConnectSphere Limited

The moral right of the author has been asserted.

All rights reserved. Except as permitted under the Copyright, Designs and Patents Act

1988, no part of this publication may be reproduced, stored in a retrieval system or

transmitted in any form or by any means – electronic, photocopying, recording or

otherwise, without prior permission in writing from the copyright owner and publisher.

Whilst every care has been taken in developing and compiling this publication,

ConnectSphere accepts no liability for any loss or damage caused, arising directly or

indirectly in connection with reliance on its contents except to the extent that such liability

may not be excluded in law.

Printed in Great Britain by ConnectSphere.

ISBN 978-1-908772-04-6

http://www.connectsphere.com/

The ISO/IEC 20000 Service Management Handbook

Contents This handbook and ISO/IEC 20000 ............................................................................... 1

Chapter 1 What is the 20000 series? ............................................................................ 3

Chapter 2 Close links to the 20000 series ..................................................................... 5

Chapter 3 The first steps in implementing Part 1 .......................................................... 7

Chapter 4 Continual improvement: Plan-Do-Check-Act .............................................. 13

Chapter 5 The Part 1 requirements summarized ........................................................ 15

Chapter 6 Certification and qualification schemes ...................................................... 21

Chapter 7 Differences between Part 1:2005 and Part 1:2011 ..................................... 23

Annex A The Part 1 collections ............................................................................ 29

Annex B Checklist of documents, records and evidence ..................................... 37

Bibliography and other sources of information ............................................................ 43


1

This handbook and ISO/IEC 20000

The service management industry recognizes that there must be consistently high standards in how services are delivered. It also recognises that technology-based services are normally reliant on the contribution of several organizations, across a supply chain. ISO/IEC 20000, a multi-part series of International Standards and Technical Reports on service management, is the result of this recognition.

ISO/IEC 20000 originated in the UK as BS 15000, from work that started in the late 1980s. The two parts of BS 15000 were the world's first service management standards. Following an early adopters' scheme and publication of a second edition, the two-part BS 15000 became the two-part ISO/IEC 20000 in 2005. Both parts of ISO/IEC 20000 were published in English and then translated into several other languages. Both parts have now been revised and re-published. The 20000 series has also been extended.

Adopting ISO/IEC 20000 means an organization has increased credibility, greater control and reduced costs. It contributes to compliance with regulatory and statutory requirements and contractual obligations. Using ISO/IEC 20000 means service management is based on tried and tested industry best practices, saving time and money.

The general principles of ISO/IEC 20000 apply to a very broad base of organizations with a variety of forms, interests and circumstances. Consequently, different organizations implement service management in ways that differ at a detailed level, but the general best practice principles remain the same across these organizations. This means delivery of services is not reliant on a confused mixture of practices and processes across a supply chain.

This handbook covers the key points in ISO/IEC 20000, in particular the requirements for a service management system specified in ISO/IEC 20000-1.

This handbook provides support for anyone with an interest in service management. It will be of interest to those responsible for service management being implemented or improved and those preparing for a certification audit. It will also be helpful to customers and procurement departments who wish to have better services at reduced costs.

It will be of use as an aide-memoire; particularly for those preparing for an examination, but it is not a substitute for the actual ISO/IEC 20000.

Other handbooks will be available in 2012. They include information security, specific advice on the use of ITIL

1 to achieve Part 1 requirements, governance of IT, information

security and customer satisfaction management.

1 ITIL® is a Registered Trade Mark of the Cabinet Office.


2


3

Chapter 1 What is the 20000 series?

ISO/IEC 20000 is now a five part '20000 series', with other parts planned. As described below, Parts 1 to 5 are published and Parts 7, 10 and 11 are under development. Parts 6, 8 and 9 are reserved for future projects.

The core of the 20000 series remains ISO/IEC 20000-1, a set of requirements for a service management system (SMS) that can be used as the basis of an audit. ISO/IEC 20000-1 is also known as ‘Part 1'.

All current International Standards are framework independent. However, ISO/IEC 20000 is sometimes referred to as ‘the ITIL standard’. The synergy between ISO/IEC 20000 and ITIL means that the growth in the use of ITIL is mirrored by the growth in the use of ISO/IEC 20000. ITIL and the 20000 series are owned by different organizations and are developed over different timescales, using different approaches. As a result, although they each add value to the other, there are inevitably some differences. The key differences are summarised at the end of Chapter 3.

Part 1: The requirements (the ‘shalls’)

Part 1 requirements are based on the verb 'shall', they are the 'must do's'. The Part 1 requirements are for an SMS as an effective method of delivering a service, continual improvement and service management.

Part 1 is rarely used standalone. It can be likened to a recipe without instructions for how the ingredients are to be used. The rest of the 20000 series (and ITIL) provide the guidance on how to plan, design, implement and operate a Part 1 SMS.

Neither the guidance in the 20000 series nor ITIL can change the Part 1 requirements. Conflict in the interpretation of requirements should be resolved by reference to Part 1.

This handbook refers to the 2011 edition of Part 1 and includes a summary of the key differences between the 2005 and 2011 editions, in Chapter 7.

Part 2: Guidance on application of SMS

The second edition, published in 2012, explains each Part 1 requirement using practical examples, i.e. what to do with the ingredients in the Part 1 recipe.

Part 3: Guidance on scope and applicability

The 2009 first edition of Part 3 is a Technical Report with scenario-based guidance on how to define the scope of an SMS. Part 3 also provides guidance on scope statements for certificates awarded following a successful independent audit. It is useful for internal and external auditors. It is also useful for those designing a new or changed service that affects the scope of an established SMS.

Part 3 is under revision to align with the 2011 edition of Part 1. The second edition of Part 3 will be an International Standard instead of a Technical Report.


4

Part 4: Process reference model (PRM)

'Will we ever achieve Part 1?' can be a daunting question. In contrast, some organizations wish to go 'beyond 20000'. As a result, there is interest in multi-level assessment models that span the most basic to an SMS that exceeds Part 1 requirements.

Part 4 is a process reference model. It has been developed to act as the basis of a process assessment model to be published as ISO/IEC TS 15504-8. Part 4 is of most use to those interested in multi-level assessments.

Part 5: Exemplar implementation plan for Part 1

Part 5 was published in 2010 in response to questions such as: 'How do we implement Part 1?' It is a general purpose plan for 'what to do first, what to do next and what to do last' when implementing Part 1. It includes guidance on topics such as business cases and effective policies.

The second edition of Part 5 will include more on governance of processes, management of internal groups and customers acting as suppliers, as well as the service provider's early involvement in projects that will lead to changes to services.

Part 5 is of most use to those involved in implementing an SMS, or making a major change to the SMS or services, including continual improvements.

Part 7: Application of Part 1 to the cloud (under development)

Part 1 is applicable to all technology-enabled services. Part 7 will give guidance to those applying Part 1 to services delivered by cloud technology.

Part 10: Concepts and terminology (under development)

Part 10 explains the context of Part 1: relationships to the 20000 series, other standards, methods and frameworks. All the special terms currently defined only in Part 1 will also be in Part 10, for easier use across the whole 20000 series.

Part 11: Mapping of Part 1 and ITIL (under development)

Part 11 is being developed in response to market research into what the service management industry wants: 'How do ISO/IEC 20000 and ITIL align?’ This is a new initiative for the International Organization for Standardization (ISO). ISO does not normally publish documents that include another organization's copyright.

Part 11 is a Technical Report partly because of the different revision cycles of the 20000 series and of ITIL. The different cycles mean the contents of Part 11 will have to be updated more frequently than is usual for an International Standard. Publication of a Technical Report takes approximately half the time required for an International Standard.

Part 11 will be followed by the mapping of Part 1 to other non-ISO standards, methods and frameworks, depending on future market research.


5

Chapter 2 Close links to the 20000 series

The 20000 environment

A number of standards, methods and frameworks are not part of the 20000 series, but are linked to it and can enhance the use of the series. Several of these are shown in the figure below with the most closely linked also described in the text in Figure 1.

Figure 1 – ISO/IEC 20000 and other standards, method and frameworks

ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (under development)

This guidance document is due for publication in late 2012. It is a practical summary of requirements in ISO/IEC 27001, Information security management systems – Requirements and in Part 1.

It provides guidance on establishing an integrated management system based on both standards. Although ISO/IEC 27013 is part of the 27000 series, the contents are equally weighted to both standards.

Integrated is the term used where the common features of both standards are implemented once. This goes well beyond the overlap of Part 1, Clause 6.6 on information security management with ISO/IEC 27001.

Many of the information security controls in ISO/IEC 27001 are similar to the requirements in Part 1. Although terms and definitions are often different, many requirements have a common intent across both standards. ISO/IEC 27013 helps the reader understand where one standard can be used to strengthen the other.


6

ISO/IEC TS 15504-8: An exemplar assessment model for IT service management (under development)

This is the process assessment model (PAM) based on Part 4 of the 20000 series, referred to in Chapter 1. It a Technical Specification rather than an International Standard.

It will enable implemented processes in Part 1 to be assessed according to the requirements of ISO/IEC 15504-2, Information technology — Process assessment — Performing an assessment. ISO/IEC 15504-2 is the standard that defines how processes

are assessed. It will be useful for determining capability.

ISO/IEC TS 15505-8 gives more detail on service management process performance and capability than Part 1.

ISO/IEC TS 15504-8 splits the Part 1 processes and the process attributes across levels.

The lowest level is where there are serious defects in the service management. There is little or no formality, inadequate documentation and neither process integration nor continual improvement is effective.

At the highest level, there is a very high quality of management, service management and optimization of processes.

ISO/IEC 19770: Software asset management – Parts 1 and 2

ISO/IEC 19770-1: Processes

This standard is a set of detailed requirements for software asset management (SAM). The standard is designed to enable an organization to prove that SAM satisfies corporate governance requirements. It provides effective support for service management overall.

ISO/IEC 19770-2: Software identification tag

ISO/IEC 19770-2 is a detailed subset of the full ISO/IEC 19770-1. It provides a SAM data standard for software identification (SWID) tags. SWID tags give identification information for software or other licensable digital items, such as fonts or copyrighted papers.

Other parts of the 19770 series are under development.

ISO/IEC TR 90006: Application of ISO 9001 applied to service management (under development)

This Technical Report is targeted at the users of ISO 9001. It will provide guidance for the application of ISO 9001 requirements to the processes and activities covered by ISO/IEC 20000-1.

Others in this series include ISO/IEC 90003, which is guidance for the application of ISO 9001 to the acquisition, supply, development, operation and maintenance of computer software and related support services.


7

Chapter 3 The first steps in implementing Part 1

Understanding service management systems

All organizations have some form of management system – at its simplest it is how an organization is managed. Regrettably, some management systems are ineffective. Typically, they lack management direction, are variable in operation and have too little documentation. In these organizations, the managers are usually too busy dealing with crises to actually manage people, processes or technology.

An SMS is broadly applicable to all aspects of managing a service. The service management processes distinguish Part 1 from other management systems. The Part 1 requirements for and SMS are summarised in Annex A.

The SMS is how the service provider achieves overall control of everything used to deliver and control technology-based services. An SMS includes some aspects of governance. Despite being a 'management system', it is far from being 'only what the managers do'. It covers the full spectrum of roles and responsibilities of top management to the most junior personnel. The 20000 series uses 'top management' for the highest level of managers in the service provider organization.

The components of the SMS range from the specialized back office processes, such as configuration management, through to the front office business relationship management process. The SMS encompasses short-term reactive processes such as incident management through to long-term proactive activities such as service continuity management and continual improvement (Figure 2).

Figure 2 – Components of the SMS

Checking the scope

An SMS can be established as a completely new initiative, without reuse of a service provider's existing practices, documents or records. This is a relatively rare event. Usually, the more cost-effective and faster approach is to reuse as much as possible. For example, it is common for processes to be performed at a high standard by dedicated


8

personnel, but with each process operating in isolation. Cooperative working and integration of the processes in Part 1 is fundamental to the success of an SMS.

Reusing what is good involves a review of what is present – good and bad. This is a review of what is actually done as well as what is documented.

A gap analysis comparing reality to the requirements for an SMS in Part 1 is an important early step, as described below. The list of documents and records relevant to Part 1 given in Annex B will be helpful for this. Another early step is a check that the scope of the service provider's activities is appropriate for Part 1. For example, are all the processes in Part 1 implemented?

Service delivery may rely on processes operated by other parties. When this is the case, the service provider should be in full control of the supply chain and in particular the processes operated by other parties. This might sound like a statement of the glaringly obvious – but it is regrettably common for service providers to agree a contract with a supplier that leaves them with little control of what and how the service provider delivers a service. How the supply chain affects scope definition is also explained in Chapter 7. An example supply chain relevant to the 20000 series is shown in Figure 3.

Figure 3 – A simple example of a supply chain

The processes do not need to have the names used in Part 1. Nor does the service provider need to subdivide service management in the same way as Part 1. For example, incident and service request management can be two separate processes or even combined with another process.

Smaller organizations usually combine processes or allocate responsibility for several processes to one manager. Typically this when there are more processes than managers. This is entirely acceptable for Part 1 and can be a very practical solution.

The service provider should discuss the scope of the SMS with their auditor. If the auditor believes the scope is inadequate for certification under Part 1, the service provider still has options for use of Part 1: a. Change the scope to conform to Part 1. For example, ensuring the service provider

has control of all processes, even if they are operated by another party and even if this involves changing a contract with a supplier.

b. Continue to use Part 1 as a goal for the quality of service management, including management involvement and responsibilities. Rely on internal audits instead of certification audits by third parties.


9

Gap analysis – Checking the processes

The nature of a gap analysis based on Part 1 depends on where the service provider is on a spectrum of chaotic through to highly effective.

Where chaos is the norm the gap will be large. The gap analysis will be dependent on checking what people actually do because little will be documented or, if there is documentation, the processes and procedures are not followed in practice.

Where service management is effective, the gap analysis reviews the documents and records and checks that these match reality. There will be reports from management reviews and internal audits. There may be a documented quality manual suitable as the basis for an SMS manual.

Many effective organizations implement an information security management system (ISMS) based on ISO/IEC 27001. Where this is the case, the ISMS can be extended and adapted to incorporate Part 1 requirements, as will be described by ISO/IEC 27013.

Understanding the gap

Once the gap has been documented, the implications of the gap should be understood. At this stage, it can be helpful to remind those interested, and, in particular, the top management, that fulfilling the requirements of Part 1 is not just an overhead required to 'get the certificate'.

Top management might need reminding that adopting Part 1 improves the service, customer satisfaction and can save a great deal of money. For example, Part 1 is dominated by proactive processes that prevent service loss, reduce the need to fix problems and therefore reduce the overheads required to deliver the service.

Designing the SMS – top-down approach

The starting point for designing an SMS is setting expectations that there will be involvement by top management and that policies will be used to provide top management direction. This is illustrated in Figure 4, below.

Figure 4 – Policy, process and procedures supporting objectives


10

Planning and priorities

It is important to plan so that benefits are seen early on. This quick win approach can also mean that efficiency savings from the early improvements help fund the later improvements. The earlier improvements will also make it easier to gain approval for capital expenditure, e.g. for better service management tools for later improvements.

It is also important to consider how the changes will be seen by the service provider's personnel, customers and suppliers.

The service provider's personnel are essential to successful change. Their concerns and needs should be considered very carefully. Every individual, even the very top management at the highest level of the organization, wants to know 'what does it mean for me?'

Working through this carefully will result in a much easier programme of changes. Personnel that support the changes will make them happen – those that do not can be obstructive and prevent or delay the whole programme.

Customers can be wary of service improvement programmes, especially if earlier improvements failed.

Quick wins can be very encouraging to the more cynical or those worried about the scale of changes that will be necessary.

A supplier might consider it unsuitable for the service provider to have the level of control required by Part 1. This is typically if the service they contribute is also shared by many different organizations. Under these circumstances contract renegotiations between the service provider and supplier can be slow and complicated (or fast and expensive).

It is important to schedule the changes to avoid a clash with other significant events, e.g. those faced by the customers who use the service, the service provider and any key suppliers or internal groups that the service provider relies on. Seasonal peaks in activity should also be considered so that very busy periods can be avoided.

Service management process design

When designing the SMS and processes the service provider should take into account that it should be in control of all processes in Part 1, Clauses 4 to 9. This is the case even if parts of processes or whole processes are operated by other parties.

I've heard all this before. It didn’t work then, why should it work this time?

Now I see why it’s worth doing!


11

Implementing and sustaining the changes

The implementation of the SMS should be based on a fully worked plan covering all the changes necessary. The method selected does not matter as long as it is effective and it is used properly. Resources, timescales, risks and business priorities should all be taken into account.

Key steps are: a. overall planning and design of the management system; b. implementation of processes and procedures; c. refinement and completion of process integration; d. consolidation and continual improvement.

Part 5 of the 20000 series can help with this. Part 5 describes phases to achieve the full requirements of Part 1 (Figure 5). The phases can be adapted to meet the service provider's particular circumstances.

A commonly used approach is for initial implementation to be for an SMS that covers only one service or one location. The scope is then extended by adding services or locations. Each extension to scope can go through the three phases advised by Part 5. Each time it will be easier because the SMS is more firmly established.

Figure 5 – A phased approach (Part 5)

Introducing new or changed services

Part 1, Clause 5 requires a service provider to be aware, involved and in control of any work that will affect or change the services it delivers. This is particularly the case for higher risk changes to the service. Part 1 requires these to be managed by both Clause 5 and the Clause 9 control processes: configuration, change, and release and deployment management.

Part 1, Clause 5 requires proposed new or changed services to be comprehensively assessed, planned and carefully designed. Each stage in the Clause 5 process includes checks on how well each stage has been done. This prevents the new or changed services being implemented in the live environment without proper testing and the application of quality criteria.

Finally, when all requirements have been met, the new or changed service is moved into the live environment. Part 1 refers to this as 'transition'.


12

Using ITIL as a route to Part 1

It is possible to use a wide variety of routes to achieving certification, but the majority of organizations do so after adopting ITIL. Figure 6, with variations, is widely used to show the relationship between the 20000 series and ITIL. ITIL is a set of guidelines while Part 1 is a set of requirements, or 'must do's'. The guidance in Part 2 onwards is

specific to Part 1. ITIL is more broadly based.

Figure 6 – The service management pyramid

Although broadly similar it is helpful to be aware that the key differences between the 20000 series and ITIL include: a. differences in emphasis and level of detail;

b. minor differences in terminology;

c. grouping of activities within processes or of processes being combined;

d. event management in ITIL is not directly reflected in Part 1;

e. the ITIL improvement process is strongly aligned to the Plan-Do-Check-Act cycle in Part 1, but is based on seven steps, nor the four in Part 1;

f. service continuity and availability management are combined in one clause in Part 1, but are separate in ITIL;

g. knowledge management is not explicitly included in Part 1, but it links to several requirements for use of information and service reports;

h. service portfolio is not a requirement in Part 1, although some aspects of business relationship management link to the business understanding required for a portfolio;

i. Part 1 has no requirements for charging, because this is not universal;

j. ITIL has no direct equivalent to governance of processes operated by other parties, although much of this maps to ITIL supplier management;

k. management of internal groups and customers (acting as suppliers) also maps to supplier management in ITIL, more so than to service level management, as required by Part 1.

The relationship between ITIL and the 20000 series is to be covered by the new Part 11, as described in Chapter 1. Sources of additional advice are listed in the Bibliography and other sources of information.


13

Chapter 4 Continual improvement: Plan-Do-Check-Act

The SMS includes continual improvement, based on a repeating cycle of Plan-Do-Check-Act. After the SMS has been established, the PDCA cycle is used to monitor the overall performance of the SMS and services. This includes a check against requirements, identification and implementation of improvements. A PDCA cycle is shown in Figure 7.

The four PDCA stages are each processes that are part of the SMS. The PDCA cycle is applied both to the SMS and to the services the SMS delivers. The final stage of each full PDCA cycle makes sure the planned improvements have been made and that they have had the expected effect. If not, action is necessary.

The PDCA cycle is repeated so that with each cycle the SMS and services improve.

PDCA is particularly important when service requirements change, the customer’s business changes or the service provider goes through a major change. When this is the case, the PDCA cycle should be more frequent.

Figure 7 – PDCA

Overall control

The PDCA is in overall control of all improvements to the SMS and services, including the improvements identified and implemented within service management processes.

It is possible to use information from any process to identify opportunities for improvements. This can be handled locally, as long as it remains under the overall control of the SMS. Alternatively, an improvement is managed directly by PDCA. Many service improvements are the result of improvements in processes and procedures.

A driving force for the SMS is a set of policies that provides top management direction. Combined with the service requirements and the service management objectives, the policies provide goals for the SMS and the service provider's managers and other personnel.

The PDCA cycle is no exception to the role of policies. Part 1 requires a policy on continual improvement of the SMS and the services. The policy is also required to include evaluation criteria so that opportunities for improvements are assessed on an appropriate basis.


14

Part 1 also requires a policy to be underpinned by processes. Processes are in turn underpinned by procedures that cover all aspects of managing improvements.

Emphasis is on the importance of improving the SMS and services, including the need for evidence that top management are committed to continual improvement. This is supported by a requirement for reports to be given to top management on the performance and opportunities for improvement to the SMS and the services.

An important element of the PDCA cycle is that management are required to review opportunities for improvement and the need for changes to the SMS. This includes improvements and other changes to the policy and objectives for service management.

Similarly, internal audits are an important part of the Check stage of PDCA. Internal audits are used to identify improvements as part of PDCA.

Opportunities for improvement

There are specific references to service management processes identifying opportunities for improvement.

Service level management:

− Trends and performance against service targets. This applies to the activities of the service provider, internal groups or the customer acting as a supplier.

Information security management

− Information security audits, as directed by the information security policy.

− Review of information security incidents.

Business relationship management

− Customer satisfaction measurements based on a representative sample of the customers and users of the services.

Supplier management

− Review of the supplier’s performance measured against service targets and other contractual obligations.

Incident and service request management

− A review of a major incident, after the major incident has been resolved.

Change management

− Analysis of requests for change (including trends in requests for change).

Release and deployment management

− Analysis of releases, including incidents caused by defective releases and assessment of the impact of the release and any incidents caused by the release on the customer.


15

Chapter 5 The Part 1 requirements summarized

This chapter is an aide memoire to key service management requirements in Part 1. For simplicity, in this chapter the term ‘new and changed services’ is abbreviated to ‘service’.

Design and transition of new and changed services (Clause 5)

In the 20000 series the introduction of new and changed services is part of service management. This process has strong links to the control processes of configuration, change, and release and deployment management. New or changed services can also be the result of PDCA, or require extensive changes to the SMS.

The key points of the new or changed service process are shown below.

a. The service provider is responsible for all stages of this process being effective, irrespective of who is actually operationally responsible.

b. Clause 5 scope is defined by change policy criteria and includes:

− all higher risk changes that need the extra protection of Clause 5;

− all service removals/retirements or transfers to another provider.

c. All Clause 5 changes are subject to the control processes.

d. The service provider identifies new service requirements, which can originate from either outside or inside the service provider’s organization.

e. The expected outcomes of the proposed new service are defined in a way that means they can be quantified and later measured and reported.

f. Planning output is accepted or rejected based on a review against requirements.

g. Plans are comprehensive and ensure service requirements and Part 1 requirements are fulfilled and the impact of the services is taken into account.

h. Plans include acceptance criteria agreed with the customer and interested parties (e.g. regulatory bodies or the other parties identified in Clause 3.13 of Part 1).

i. Other parties involved / contributing to the new service are assessed to ensure that they are capable of making an adequate contribution, as and when required.

j. The new service design will be comprehensive and include all changes to the SMS that will be needed, including changes to documents and records.

k. The design will take into account changes for all types of resources, including necessary budgets.

l. Service acceptance criteria agreed in advance by the customer and interested parties.

m. The design is compared to the original service requirements and if necessary amended before the final design is agreed.

n. The agreed design will be the basis for the services being developed.

o. The new service will be tested against agreed service requirements and the design and acceptance criteria agreed previously.

p. If the test results are acceptable, the release and deployment management process is used to deploy the new service into the live environment.

q. If the test results are not acceptable, the service provider and interested parties make decisions on next steps and ensure suitable actions are taken.


16

Service level management (Clause 6.1)

a. The following are agreed with the customer(s):

− service requirements;

− catalogue of services, with service and component dependencies;

− one or more service level agreements (SLAs) for each service based on service requirements;

− timetable for reviews of the service and SLAs.

b. The service provider and customer review SLAs and services, according to an agreed timetable.

c. Change management controls the service level management (SLM) documents and the documents are realigned if there are changes to the service catalogue, SLAs or services.

d. Trends are compared to service targets (to an agreed timetable).

e. The causes of nonconformities and improvement opportunities are identified.

Service reporting (Clause 6.2)

a. Performance against service targets.

b. Relevant information about significant events.

c. Workload characteristics including volumes and periodic changes in workload.

d. Detected nonconformities against the requirements and their identified cause.

e. Trend information.

f. Analysis of customer satisfaction measurements and service complaints.

Service continuity and availability management (Clause 6.3)

a. Assess and document the risks to service continuity and availability of services.

b. Identify requirements using business plans, risks, service requirements, SLAs, access rights, response times and end-to-end availability of services.

c. Create, implement and maintain a service continuity plan and an availability plan.

d. Assess the impact of requests for change on the plan(s).

e. Planning includes:

− production of service continuity plan(s);

− procedures in the event of a major loss of service;

− availability targets when the plan is invoked;

− recovery requirements;

− approach for return to normal working conditions.

f. Access to plans, contact lists and the configuration management database (CMDB) when normal locations are inaccessible.

g. Availability plans include availability requirements and targets.

h. Monitoring and testing:

− monitor availability of services and compare the results to agreed targets;

− investigate unplanned non-availability and take action;

− test plans against the requirements;

− retest after major changes to the service environment;

− record test results and review;

− review after the service continuity plan is invoked.


17

Budgeting and accounting for IT services (Clause 6.4)

a. There are requirements for charging. b. Policies and documented procedures for:

− budgeting and accounting for service components;

− apportioning indirect costs and allocating direct costs to provide a cost for each service;

− effective financial control and approval. c. Budgeting enables decision making. d. Monitor and report costs against budget and financial forecasts. e. Manage costs. f. Provide information to change management to support costing of requests for

change. g. Budgeting should:

− track costs against budget to give early warning of variances;

− account for seasonal variations and planned changes during budget period;

− plan the management of shortfalls;

− support operating/changing services with cost tracking to maintain service levels. h. Accounting should ensure that:

− cost tracking is to an agreed level of detail;

− decisions are based on cost-effective comparisons;

− cost models demonstrate the cost of service provision;

− accounts demonstrate over- and under-spending;

− there is an understanding of the cost of low service levels or loss of service.

Capacity management (Clause 6.5)

a. Provide sufficient capacity to fulfil agreed capacity and performance requirements. b. Create, implement and maintain a capacity plan. c. Human, technical, information and financial resources. d. Capacity plan includes:

− current and forecast demand;

− expected impact of requirements for availability, service continuity and service levels;

− timescales, thresholds, costs for upgrades;

− potential impact of changes: o statutory, regulatory, contractual; o organizational, new technologies and techniques;

− procedures to enable predictive analysis. e. Monitor capacity usage, analyse data and tune performance.

Information security (Clause 6.6)

a. Management with the appropriate authority approve the information security policy. b. Management:

− communicate the policy to appropriate personnel, customers and suppliers;

− ensure the ISM objectives are established;

− define the approach for managing and accepting risks;

− ensure internal information security audits are done, reviewed and opportunities for improvement identified.

NOTE: Clause 6.6 requirements have been strongly influenced by ISO/IEC 27001.


18

Business relationship management (Clause 7.1)

a. Document customers, users and interested parties. b. An individual to manage the relationship and customer satisfaction with each

customer is designated. c. Establish a communication mechanism with the customer for understanding of the

business environment and requirements for new or changed services. d. Review performance of the services at planned intervals. e. Control changes to the documented service requirements, via the change

management process. f. Agree the definition of a service complaint. g. Document and implement the service complaints management procedure. h. Escalate when a service complaint is unresolved through normal channels. i. Measure customer satisfaction at planned intervals based on a representative

sample of users and customers of the services. j. Analyse and review the results for input to continual improvement.

Supplier management (Clause 7.2)

a. Designate an individual responsible for managing the relationship, the contract and performance of each supplier.

b. Agree a documented contract. c. Agree the service levels to support and align with the SLAs. d. Lead suppliers and sub-contractors:

− ensure the roles and relationships are documented;

− verify that lead suppliers manage their sub-contractors;

− monitor performance at planned intervals;

− measure performance against service targets and other contractual obligations;

− review results, identify nonconformities and opportunities for improvement;

− control changes to the contract via change management;

− procedure to manage contractual disputes. e. Contract management includes:

− performance data is obtained and acted upon;

− all supplier contracts contain a review schedule;

− a process for managing each contract and contract amendment;

− changes to the process are notified to all affected suppliers;

− a basis for bonus/penalty payments against targets;

− contractual dispute management;

− an escalation route when required. f. Contract end or transfer of services to another supplier.

Incident and service request management (Clause 8.1)

a. Incident management procedure for all incidents.

b. Procedure for the fulfilment of service requests from recording to closure.

c. Priority based on impact and urgency.

d. Personnel can access and use information:

− service request procedures;

− known errors, problem resolutions, CMDB;

− success or failure of releases.


19

e. Inform customers of progress and if service levels cannot be met, escalate according to a procedure.

f. Major incidents:

− definition of a major incident agreed with the customer in advance;

− procedure;

− designate individual responsible;

− after service restoration review major incidents and input to continual improvement.

Problem management (Clause 8.2)

a. Procedure to identify problems and minimize / avoid the impact of incidents and problems:

− identification, recording, prioritizing, classification;

− updating, escalation, resolution, closure.

b. Analyse data on incidents and problems, identify root cause and potential preventative action.

c. Raise request for change), if problems require a change to a configuration item (CI).

d. Actions to reduce / eliminate impact of a problem if not permanently resolved.

e. Record known errors.

f. Monitor, review, and report effectiveness of resolution.

g. Provide information on known errors and problem resolution to incident and service request process.

Configuration management (Clause 9.1)

Note: Financial asset management is out of scope, but the interfaces to financial asset management are included (this interface can simply be data from this process being input to financial asset management and any relevant polices being shared).

a. Document the definition of each type of CI.

b. Uniquely identify CIs and record in a CMDB.

c. Information for each CI ensures effective control:

− description of the CI;

− relationship(s) between the CI, other CIs and service components;

− status, version, location;

− associated requests for change, problems and known errors.

d. Documented procedure to record, control and track versions of CIs.

e. Degree of control:

− consider the service requirements and risks;

− maintain the integrity of the services and of service components.

Change management (Clause 9.2)

a. Establish a change management policy that defines:

− CIs under the control of change management;

− criteria to determine changes with the potential to have a major impact on services or the customer;

− removal or transfer of a service (Clause 5 always applies to these).


20

b. There should be a documented procedure:

− to record, classify, assess and approve requests for change;

− to manage emergency changes.

c. Agree the definition of an emergency change.

d. All changes are raised using an RFC that has a defined scope.

e. RFCs are assessed using information from this and other processes.

f. Decision making on the acceptance of RFCs considers:

− potential impact to services, customer and service requirements;

− risks, benefits, technical feasibility and financial impact.

g. Approve and develop approved changes.

h. Maintain a schedule of change and communicate to interested parties.

i. Plan activities to reverse / remedy unsuccessful changes / test where possible.

j. Update the CMDB records following the deployment of changes.

k. Review changes for effectiveness and take agreed actions.

l. Analyse RFCs at planned intervals to detect trends.

m. Record and review the results of the analysis and input to continual improvement.

Release and deployment management (Clause 9.3)

a. Agree with the customer a release policy and definition of an emergency release.

b. Document a procedure for emergency releases that interfaces to the emergency change procedure.

c. Plan deployment of a new or changed service and service components into the live environment and the activities to reverse or remedy any unsuccessful release.

d. Coordinate planning with change management.

e. Plans include references to:

− related requests for change, known errors and problems that will be closed through the release;

− dates for deployment, deliverables, method of deployment.

f. Agree acceptance criteria with customers and interested parties.

g. Build and test releases prior to deployment, using a controlled acceptance test environment.

h. Verify the release against agreed acceptance criteria and approve before deployment. If criteria are not met, make a decision with interested parties.

i. Deploy to live while maintaining the integrity of hardware, software and other service components.

j. Reverse or remedy the deployment if unsuccessful.

k. Investigate unsuccessful releases and take agreed actions.

l. Monitor and analyse the success or failure of releases including incidents and the impact on the customer.

m. Review the results and identify opportunities for improvement.

n. Provide information to change management to support impact assessment of changes on releases and deployment plans.


21

Chapter 6 Certification and qualification schemes

Who awards certificates to service providers?

A certificate can be awarded to a service provider if a third party / independent audit company audits a service provider's SMS and decides it conforms to the requirements of Part 1. Conformity does not mean perfection, nor is every bit of evidence examined. A few minor nonconformities can be corrected within a few weeks of the assessment without delaying the certification. Major nonconformities prevent the certificate being awarded. A major nonconformity is when there is a very serious defect in a process or, possibly, a series of smaller linked defects that constitute a major conformity.

There are few limitations on who (or what organization) is allowed to award a certificate and ISO do not control how standards are used. However, other quality control measures are in place, as described below.

Can the certificate be relied upon?

Any organization intending to rely on certification against Part 1 as a measure of competence should inspect the certificate carefully. The scope statement might be irrelevant to the interests of a prospective customer. For example, the nature of the service, the location used for service delivery, or the technical base of the service.

The prospective buyer of services should check that the certificate has been awarded by a reputable company (usually known as certification body or organization).

Has the audit been done under a reputable scheme?

The audit process is itself quality controlled to ensure the certification audits are done to a consistent standard, so that service providers are certified on the same basis.

Reputable schemes are those where the auditor and audit company have in turn been assessed and accredited by an independent accreditation body. This includes an assessment of the auditors' competence and understanding of Part 1 and general audit techniques. It also checks the overall management of the audit company and that each individual auditor is managed effectively. A successful assessment of an audit organization leads to accreditation, not certification.

The role of ISO/IEC 17021

The accreditation assessment is done primarily using ISO/IEC 17021, Conformity assessment — Requirements for bodies providing audit and certification of management systems. It includes the competence, objectivity and integrity etc. of the auditors and of the audit company management. This is combined with a technical assessment of how well the auditors understand Part 1.


22

The implications of certification under ISO/IEC 27001

Some Part 1 certification schemes allow the auditor to omit the audit under Part 1, Clause 6.6, Information security, if the service provider is already certified under ISO/IEC 27001, Information security management systems — Requirements. ISO/IEC 27001 contains requirements for an information management system and is the information security equivalent of Part 1.

Not all schemes allow this and this practice is neither in Part 1 nor specifically permitted by ISO standards on audit practices, such as ISO/IEC 17021.

It is advisable to check with your auditor the details of the scheme rules under which the audit is to be done. A customer relying on a ISO/IEC 27001 certificate should check that certification is current and was by a reputable audit organization accredited to do ISO/IEC 27001 audits. Also, there should be a check that the scope of the ISO/IEC 27001 certificate covers the whole scope of the Part 1 audit. The ISO/IEC 27001 certificate is reassurance of the quality of the information security only for the scope audited; other areas may well be of a lower quality.

It is rare for there to be the same scope for an ISO/IEC 27001 audit and for a Part 1 audit. One scope definition does not cover all aspects of the other, even though some overlap is common.

Changing from the 2005 to the 2011 edition

The key points of changing to become certified under the 2011 edition instead of the 2005 edition vary across different schemes. The following are usual for this type of transition: a. typically a two year transition from the publication of the second edition of Part 1; b. first six month for preparation; c. first audits for 2011 edition likely to be early in 2012; d. for audits, certification under 2011 is usually either:

− at the next full audit, if due at an appropriate time; or

− at the next surveillance audit;

− if necessary over more than one surveillance audit; e. new certificates / new service providers:

− are possible when the audit organization is accredited to do the 2011 audits;

− timetable varies depending on the scheme that applies.

Qualification schemes

There are similar staged transitions to the 2011 edition of Part 1 for qualification schemes. However, these are individually controlled and advice should be sought from training organizations.

Eventually, courses and the examination based on the 2005 edition of Part 1 will be withdrawn. Some roles (for example an auditor) will have to be re-qualified or take a transition qualification. Personal qualifications are not normally invalidated by the publication of the 2011 edition, although short conversion / awareness courses will be available.


23

Chapter 7 Differences between Part 1:2005 and Part 1:2011

The changes

There are a few large changes and many small changes in the second edition of Part 1 compared to the first edition published in 2005. The larger changes are described below. Some small changes are included as examples. These are mainly minor wording changes.

Format and editorial changes

Title

Part 1 has a new title – Service management system requirements. This emphasises that the management system is about delivering a service. It also avoids Part 1 being confused with a software or system specification.

Objectives

Objectives have been removed because some readers assumed they were requirements, and not the guidance they were intended to provide. Adding 'Objectives' to a requirements document is also against ISO editorial rules.

Structure

The numbering of clauses in the first editions of Parts 1 and 2 were aligned, to simplify cross-referencing. The same principle has been followed with the second edition, but using different methods. The structural changes are: a. a dummy Clause 2 (Normative references) added to Part 1 b. merging of Clauses 3 and 4 requirements (General aspects of the SMS) c. deletion of the dummy Clauses 7.1 and 7.2 used in Part 1, 2005; d. merging of Clauses 9 and10 (configuration, change, release and deployment)

International wording

Changes have been made to simplify translation and to help those for whom English is not their first language. To a native English speaker these changes make little difference, but there should be better consistency in understanding and interpretation.

Changes are also being made across the 20000 series to avoid variants of English, where the same English word means different things to different native English speakers. For example, 'to address' to one native English speaker means 'to deal with something', to another it means 'to start dealing with something'.

Changes to phrases / wording include: a. business customer. b. authorization approval. c. stakeholder interested parties. d. named manager designated manager.


24

Standardization of wording

English has more words than other languages so it is often impossible to translate a word into an equivalent word in another language. The ease of use, translation and consistency of interpretation was agreed to be more important than subtle differences in meaning. To support this, wording is being standardized across the 20000 series.

More definitions

Most new definitions are from ISO 9000 or ISO/IEC 27000. Typically, these are included to make sure there is consistency across the standards most commonly used by the service management industry.

The number of requirements

Part 1 is 50 per cent longer and contains 50 per cent more ‘shalls’, where 'shall' is used to show the 'must do's'. Part 1 is not 50 per cent harder to achieve. The additional requirements are primarily clarification of the 'how to' aspects of best practice service management. This partly reflects the increased maturity in what best practice constitutes, but also the wish by the international community to have more best practices consolidated as requirements, reducing the number of options for how each end-result is attained.

Revised figures

The figures in Part 1 are not part of the requirements but are often used to help understanding of the requirements. They feature in training material and examinations.

In order to give greater clarity and emphasis to how the SMS directs and controls service management and services the first two figures in Part 1 have been revised. They have also been swapped round as shown below in Figure 8. Figure 1 in Part 1 is now a simple representation of the PDCA cycle encompassing the SMS and services. The PDCA cycle remains part of the SMS. PDCA should therefore be subject to an improvement cycle itself, as it also was in the 2005 edition of Part 1.

Figure 8 – How the SMS is represented in Part 1

Figure 2 in Part 1 now clearly shows that the service management processes are part of the SMS, not a separate set of processes. This is not a change to the requirements, but done for the avoidance of doubt on the meaning of the Part 1 requirements.

It is the service management processes that mean Part 1 requirements are for a service

management system. It is also why Part 1 differs from ISO 9001 or ISO/IEC 27001.


25

Roles and responsibilities

Top management / management representative / responsible managers: ‘The buck [still] stops here’. Management direction is still based on policies. Changes are mainly minor wording changes but top management are now required to be more actively involved in the management, review and improvement of the SMS.

New and changes services / higher risk changes (Clause 5)

a. Starts at planning and design of services and ends with transition, testing, acceptance [or rejection] and deployment into operational running.

b. More requirements, especially early in the lifecycle of a new or changed service. c. New: criteria for higher risk changes (Clauses 5 and 9.2) in a change management

policy, identifying to which changes Clause 5 should be applied. d. Clause 5 always applies to removal or transfer of services. e. Clause 5 changes are all also managed by the control processes.

Scope, supply chain and ‘other parties’

Part 1 now includes a new Clause 4.2, Governance of processes operated by other parties, as shown in Figure 9.

This could lead to changes in applicability of Part 1 and to acceptable scope definitions. For example, a service provider might need to renegotiate contracts with suppliers to ensure that the contract allows them to have appropriate levels of control.

Clause 4.2 also applies to internal groups or customers (when acting as suppliers) that are not under the service provider's direct control. Documented agreements are required between these groups and the service provider.

The internal groups and customers (when acting as suppliers) are now managed by the service level management process. Suppliers, who are legal entities separate for the service provider, are still managed by supplier management and under contract.

Figure 9 – Governance of processes


26

Other parties can contribute to services if the following conditions are met.

Condition 1: The service provider retains overall management of the SMS.

Condition 2: The service provider can demonstrate governance of all processes, including those operated by other parties.

The second condition means the service provider can demonstrate it: a. is accountable for all processes; b. has authority to require adherence to processes; c. has control of:

− process and interface definition;

− how process performance is measured;

− determining how and if processes are compliant;

− planning and priorities for process improvements.

Clause 1.2 in Part 1 provides guidance on the applicability (and therefore acceptable scope) of the SMS. This clause advises that Part 1 is inappropriate if most service management has been outsourced. This is the case even if the service provider has excellent governance of all processes, excellent service level management and excellent supplier management.

Alignment with ISO 9001 and ISO/IEC 27001

Market research has shown that many organizations using the 20000 series also use ISO/IEC 27001 and, to a slightly lesser extent, ISO 9001.

To support this, the more significant changes in Par 1 include the closer alignment of the PDCA cycle to ISO 9001. This includes the requirements for documents and records being realigned to the latest edition of ISO 9001 with almost identical wording in both.

Part 1, Clause 6.6, on information security requirements, is now longer and also much more closely aligned to ISO/IEC 27001, which is cross-referenced to in Clause 6.6. It now includes: a. information security objectives; b. specific types of internal information security controls; c. management of external parties using information security controls; d. risk assessment and risk management; e. information security audits.

Operational changes

All procedures should be documented (and therefore followed consistently).

Definitions that should now be agreed: a. major incident; b. configuration item (CI); c. emergency change; d. emergency release.


27

Changes to phrases / wording includes 'at least annually' becoming 'at suitable frequencies'. This requires a timetable for events that can be justified according to the service provider's circumstances.

Some Part 2 guidance is now requirements

Examples of Part 2: 2005 guidance becoming Part 1:2011 requirements include requirements for a service catalogue. Another example is that the service continuity plan should not only be developed and tested but now also actually be agreed with the customer.

Transition to certification under the 2011 edition

The important steps for this are as follows: a. Talk to your auditor and/or assessor. b. Gap analysis:

− check what is documented in your SMS

− check the SMS against the 2011 edition: you might already be doing what is required.

c. Key points for an acceptable scope:

− governance of processes, identify changes to: o contracts; o documented agreements; o service catalogues and SLAs;

− projects delivering new or changed services;

− information security controls, especially external parties; d. Plan phased improvements / other changes / continual improvement. e. Agree the timetable for assessment – typically at one or more surveillance

assessments. f. Ensure there are documents and records as evidence of meeting the new or

changed requirements.


28


29

Annex A The Part 1 collections

Many of the Part 1 requirements are based around collections of activities, stages or other groups. It is advisable to be familiar with these, particularly when preparing for an examination. The most important are given below in the order in which they first occur in Part 1. For most of the collections all those listed are required or the list represents an acceptable minimum. Some collections in Part 1 are just examples, shown with (e.g.).

Clause 0 Scope (of Part 1)

Scope of activities in Part 1 SMS

− plan

− establish

− implement

− operate

− monitor

− review

− maintain

− improve

Service lifecycle

− design

− transition

− delivery

− improvement

Clause 3 Defined terms

Types of document (e.g.)

− policies

− plans

− process descriptions

− procedures

− service level agreements

− contracts

− records

Preservation of information security (e.g.)

− confidentiality

− integrity

− accessibility

Interested parties (e.g.)

− customers

− owners

− service provider's organization

− suppliers

− bankers

− unions

− partners

Organization (e.g.)

− company

− corporation

− firm

− enterprise

− institution

− charity

− sole trader

− association

Service component (e.g.)

− hardware

− software

− tools

− applications

− documentation

− information

− processes

− supporting services

− one or more CIs

Contents of an SMS

− policies

− objectives

− plans

− processes

− documentation

− resources

Objective of an SMS

− design

− transition

− deliver

− improvement of services

− fulfil the Part 1 requirements

Service request (e.g.)

− information

− advice

− access to a service

− pre-approved change


30

Clause 4.1 Management responsibility

Top management commitment to the SMS and the services

− planning

− establishing

− implementing

− operating

− monitoring

− reviewing

− maintaining

− improving

Top management establishing / communicating service management

− scope

− policy

− objectives

− plan is created / implemented / maintained

− importance communicated

Top management to ensure

− adherence to service management policy

− objectives achieved

− fulfilment of service requirements

− statutory and regulatory requirements

− contractual obligations

− resources provided

− management reviews are performed (at planned intervals)

− risks assessed and managed

Authorities and responsibilities of the management representative for service requirements

− identify

− document

− fulfil

Stages of service management processes:

− responsibilities assigned

− designed

− implemented

− improved

− integrated with other SMS components

Assets used in service delivery are managed according to

− statutory requirements

− regulatory requirements


Clause 4.3 Document management

Documents for an effective SMS

− service management policy

− service management objectives

− service management plan

− process specific policies

− process specific plans

− catalogue of services

− SLAs

− service management processes

− service management procedures

− service management records

− documents of external origin

Clause 4.4 Resource management

Resources for the SMS

− human

− technical

− information

− financial

SMS and services

− establish

− implement

− maintain

− continually improve effectiveness

− enhance customer satisfaction

− fulfil service requirements

Competence of personnel

− education

− training

− skills

− experience


31

Clause 4.5 Establish and improve the SMS

Mandatory scope parameters

− name of organizational unit delivering services

− services

Optional scope parameters (e.g.)

− geographical locations

− customer

− customer’s locations

− technology used for service delivery

Plan stages for the SMS

− create

− implement

− maintain

Input to the plan stage


− service requirements

− Part 1 requirements

Plan contents

− service management objectives


− known limitations

− policies

− other standards




− authorities

− responsibilities

− all types of resource

− how to work with other parties

− interfaces between processes

− integration of components of the SMS

− risk management

− criteria for accepting risks

− technology

− improvement of the SMS

Plan for improving the effectiveness of the SMS

− measuring

− auditing

− reporting

− improving

SMS stages

− design

− transition

− delivery

− improvement

Activities for SMS implementation

− initial allocation of funds and budgets

− assignment of authorities

− assignment of responsibilities

− assignment of roles

− management of (implementation) risks

− implementation of service management processes

− implementing performance monitoring

Activities for operation of the SMS

− management of funds and budgets

− management of personnel

− management of all resources

− management of processes

− management of risks

− monitoring of performance

− reporting on performance of service management activities

Monitoring and measuring the SMS

− internal audits

− management reviews

− performance monitoring

− against service requirements

− against Part 1 requirements

− against statutory requirements

− against regulatory requirements

− against contractual obligations

− against other parties’ obligations

− reporting nonconformities

− concerns

− actions identified

Objectives of internal audits

− fulfilment of Part 1 requirements

− fulfilment of service requirements

− fulfil the SMS requirements

− ensure SMS remains effective


32

Planning for an audit programme

− status of processes

− importance of processes

− areas to be audited

− results of previous audits

− audit criteria

− audit scope

− audit frequency / timetable

− audit methods

− objectivity of auditors

Post-audit activities

− results issued

− communication of nonconformities

− actions arising

− setting of priorities

− corrective action

− follow up of corrective action

− input to the next internal audit

Management reviews of the SMS and services

− suitability

− effectiveness

− opportunities for improvement

− changes to the SMS


− objectives for service management

Input to management reviews

− customer feedback

− service conformity

− process performance

− current and forecast resources

− current and forecast capabilities

− risks

− output form audits

− previous management review output

− status of preventive actions

− status of corrective actions

− changes that could affect the SMS

− changes that could affect the services

− opportunities for improvement

Authorities and responsibilities for maintaining and improving the SMS

− identifying

− documenting

− evaluating

− approving

− prioritizing

− managing

− measuring

− reporting of improvements

Improvement targets to include at least one of

− quality

− value

− capability

− cost

− productivity

− resource

− utilization

− risk reduction

Clause 5 New and changed services

Stages controlled by change management

− assessment

− approval

− scheduling

− reviewing of new or changed services

Sources of new services / changes to services

− customer

− service provider

− internal group

− supplier

Potential impacts to be considered when planning

− financial

− organizational

− technical


33

Contents of the new / changed service plan

− authorities


− design

− development

− transition

− communication to interested parties

− resources (all types)

− timescales for activities

− risk identification and assessment

− risk management

− dependencies on other services

− testing

− service acceptance criteria

− expected outcomes

Service removal

− dates

− archiving

− disposal or transfer of data

− documentation

− service components

Clause 6.1 Service level management

SLA contents

− agreed service targets

− workload characteristics

− exceptions

Control by change management


− catalogue of services

− SLAs

− other documented agreements

Documented agreement stages

− develop

− agree

− review

− maintain

Clause 6.2 Service reporting

Agreed service report description

− identity

− purpose

− audience

− frequency

− details of the data source(s)

Included in service reporting

− performance against targets

− information on significant events

− workload characteristics / volumes / periodic changes

− nonconformities

− trends

− customer satisfaction

− service complaints

Clause 6.3 Service continuity and availability management

Topics considered when developing service continuity requirements

− applicable business plans


− SLAs

− risks

Service continuity requirements

− access rights to the service

− service response times

− end-to-end availability of services

Plan contents for after invocation

− procedures

− availability targets

− recovery requirements

− approach to return to normal working

Clause 6.4 Budgeting and accounting

Budgeting and accounting for

− assets

− shared resources

− overheads

− capital

− operating expenses

− externally supplied services

− personnel

− facilities


34

Clause 6.5 Capacity management

Capacity plan to include

− current demand

− forecast demand

− expected impact of requirements

− timescales

− thresholds

− costs

− statutory changes

− regulatory changes

− contractual changes

− organizational changes

− new technologies

− new techniques

− predictive analysis

Capacity management stages

− monitor usage

− analyse usage

− tune performance

Clause 6.6 Information security

Information security policy takes into account:





Information security incident analysis

− types

− volumes

− impacts

Types of control

− physical

− administrative

− technical

Purpose of controls

− confidentiality

− integrity

− accessibility

− fulfil requirements of the policy

− achieve objectives

− manage risks

External organization's access to information or services

− access

− use

− manage

Information security incident analysis

− types

− volumes

− impacts

Clause 7.1 Business relationship management

Parties involved to be documented

− customers

− users

− interested parties

Complaint handling stages

− record

− investigate

− act upon

− report

− close

Clause 7.2 Supplier management

Contract contents

− service scope

− dependencies

− requirements

− service targets

− interfaces

− integration of suppliers activities

− workload characteristics

− contract exceptions

− contract exception handling

− authorities


− reporting

− communication

− charging basis

− early termination clause

− transfer to a different party clause


35

Clause 8.1 Incident management

Incident management stages

− recording

− allocation of priority

− classification

− updating of records

− escalation

− resolution

− closure

Access to and use of relevant information

− service request management procedures

− known errors

− problem resolutions

− CMDB

− success or failure of releases

− future release dates

Clause 8.2 Problem management

Problem management stages

− identification

− recording

− allocation of priority

− classification

− updating of records

− escalation

− resolution

− closure

Clause 9.1 Configuration management

Information on each CI (at least)

− description

− relationship between CIs

− status

− version

− location

− associated requests for change

− associated problems and known errors

CI procedure stages

− recording

− controlling

− tracking

Contents of secure physical or electronic libraries

− licence information

− software

− available images of the hardware configuration

Clause 9.2 Change management

Documented procedure stages

− record

− classify

− assess

− approve requests for change

Basis for decisions on acceptance of requests for change

− risks

− potential impacts to services

− potential impacts to the customer


− business benefits

− technical feasibility

− financial impact

Clause 9.3 Release and deployment

Planning to include

− references to the related requests for change

− known errors

− problems being closed through the release

− dates for deployment of each release

− deliverables

− methods of deployment

Conditions for successful deployment / protection of integrity

− hardware

− software

− other service components


36


37

Annex B Checklist of documents, records and evidence

The complete SMS should be documented before it is established. All subsequent changes to the SMS are under the control of the change management process, which ensures the SMS documentation is also kept up to date.

Part 1 terms and definitions note that documenting procedures is optional, but in reality all references in Part 1 to specific procedures are to ‘documented procedures’.

Although documents and records are an essential part of an SMS they do not have to be long or complex. The 20000 series remains targeted on doing, not documenting.

Table 1 is a checklist of documents and records explicitly referred to in Part 1, e.g. the service management policy. It also lists documents and records that will be produced or used as a result of an activity required by Part 1, but which are not explicitly identified by the requirements, e.g. a timetable for internal audits (because they are to be done at planned intervals). These are also evidence of an activity having been performed.

The checklist does not draw a distinction between documents and records. Documents describe intentions, records show what happened in reality.

The documents and records are listed in the order in which they first occur in Part 1. Each is listed once, usually the first time it is referred to, to minimize duplication.

[Square brackets show text inserted to help identify or give context to the identified document or record.]

Table 1 – Checklist of documents, records and evidence in Part 1

Clause 4.1 Management responsibility Definition of the scope of the SMS

Plan for the SMS [comprehensive]

Service management objectives

Service management policy

Communications programme / plan

Communication procedures

Service requirements

Statutory and regulatory requirements

Contractual obligations of the service provider

Contractual obligations of the suppliers

Documented agreement(s), with internal groups

Documented agreement(s), with customers [when acting as suppliers]

Management review agenda and timetable

Management review results / reports

Risk assessment reports

Definition / framework and assignment of authorities, responsibilities and process roles

Authorities and responsibilities for plans, service management processes and services

Service management process designs

Lists of assets used to deliver the services, licences are specifically mentioned


38

Clause 4.2 Governance of processes operated by other parties Processes or parts of processes operated by other parties

Evidence of accountability for processes

Evidence of controlling the definition of the processes and interfaces

Evidence of authority to determine process performance

Evidence of authority to determine compliance with process requirements

Evidence of control of planning process improvements

Evidence of control of priority of process improvements

Evidence of SLM used for management of internal groups and customers acting as suppliers

Process specific policies and plans

Catalogue of services / services to be delivered

SLAs [including service targets, workload characteristics and exceptions]

Clause 4.3 Documentation management Procedures for control of documents

Procedures for control of records

Documents of external origin for SMS operation / delivery of the services

Clause 4.4 Resource management Records of the competence of personnel [education / training / skills / experience]

Records of competence assessment

Training plans

Training plan evaluation

Known limitations that can impact the SMS

Resources: human, technical, information and financial – required, planned and actual

Clause 4.5 Establish and improve the SMS Approach to be taken for working with other parties involved in new or changed services

Approach for interfaces between SM processes / integration with other components of the SMS

Approach to identifying and managing risks, including criteria for accepting risks

Technology used to support the SMS

How the effectiveness of the SMS and services will be measured / audited / reported / improved

Method for monitoring and measuring the SMS and services

Objectives of internal audits

[Internal] Audit criteria and methods

Evidence of application of suitable criteria for auditor selection / independence of auditors

[Internal] Audit programme – dates and scope of each audit

Internal audit procedures

Results of internal audits

Objectives of management reviews

Management review agenda and timetable [planned intervals]

Input to the management review [output from internal audits, actions for earlier reviews]

Identified risks as input to management review

Nonconformities identified against the Part 1, SMS and service requirements

Causes of identified nonconformities

Actions arising from reported nonconformities, with priorities

Evidence of corrections and corrective actions actually done at suitable times

Customer feedback as input to the management review

Outcomes of the management review / improvements and other changes

Reports of service and process performance and conformity

Resource levels [human, technical, information and financial] – current actual

Resource levels [human, technical, information and financial] – planned

Capabilities [human, technical] – current actual

Capabilities [human, technical] – planned

Update on [previous] preventive and corrective actions and corrections


39

Changes that could affect the SMS and services

Options for identified improvements

Decisions and actions arising from management reviews

Continual [SMS and services] improvement policy, including criteria for improvement selection

Opportunities for improvement [including corrective and preventive actions]

Plans for improvements, including agreed priorities and targets for improving the SMS / services

Records of the correction of nonconformities

Records / report of improvements being made including correction of nonconformities

Revision history for changes to the SMS, e.g. changes to policy, plans, process changes etc.

Actual measured improvements against the selected improvement targets

Actions taken when improvements miss the target(s)

Clause 5 New and changed services Interface to the three control processes (configuration / change, release and deployment)

[Changes to] service requirements for new or changed services

Plan(s), with activity level details for new and changed services, including service removal

Designs for new and changed services, including service removal / transfer

Impact assessment for new or changed services on the SMS finances, organization, technology

Authorities and responsibilities for the design, development and transition activities

Other parties [who will contribute to the provision of service components]

Evaluation of other parties’ ability to fulfil service requirements for new or changed services

Communications to interested parties

Resources: human, technical, information, financial

Risk identification, assessment and management

Test plans for new and changed services

Outcomes expected [in measurable terms] from new or changed services

Criteria for acceptance of new or changed services into the live environment

Comparison of service design and the service requirements

Report on the development of the design

Service acceptance criteria [agreed with the interested parties]

Test results for new or changed services against the service requirements and design

Decisions on actions when acceptance criteria are not met

Report on final outcomes against expected outcomes

Clause 6.1 Service level management Activities and interfaces between the service provider and internal groups

Agenda and timetable for [planned] service reviews

Service review reports

Input to the change management process

[Change history of] SLM documents

Timetable for monitoring and report production [planned intervals]

Reports on performance against service targets, other service commitments and trends

Causes of nonconformities and opportunities for improvement

Service review reports on the performance of internal groups and customers acting as suppliers

Clause 6.2 Service reporting Service report descriptions

Service reports on performance against service targets and workloads, including changes

Nonconformities against Part 1 and the SMS and service requirements, with identified causes

Trend information ,e.g. service, performance, workloads [and availability for Clause 6.3])

Customer satisfaction measurements and analysis

Service complaints

Major incident reports

Service continuity plan invocation report

Communications on decisions and actions arising from service reports


40

Clause 6.3 Service continuity and availability management Business plans [applicable to service continuity and availability]

Risks to service continuity and availability of services

Service continuity and availability requirements including recovery requirements

Service continuity plan(s) [agreed with the customer]

Plans for testing / retesting service continuity plans

Service continuity plan test results, including actions identified

Procedures to be implemented in the event of a major loss of service

Approach for the return to normal working conditions

Contact lists for use during a major loss of service

CMDB (with normal access and access in the event of a major loss of service)

Review of the service continuity plan after invocation

Availability requirements and targets [as part of the availability plan]

Testing / retesting plans for availability plans

Availability management plan(s)

Test results for availability plans

Actions arising from the unplanned non-availability investigations

Report on actions taken

Assessment of the impact of requests for change on both the service continuity and availability plans

Clause 6.4 Budgeting and accounting for services Interface between budgeting and accounting and other financial management processes

Policy for budgeting and accounting

Procedures for budgeting and accounting

Budget

Budget variances [actual costs compared to budget]

Review of financial forecasts, especially budget variances

Options for managing costs, e.g. when the actual is not at the budget level / there is a variance

Decisions made on management of cost variances

Costs of implementing change requests as input to the change management process

Clause 6.5 Capacity management Details of [current] available capacity and [current] performance levels

Capacity and performance requirements

Capacity plan covering all types of resources

Reports on capacity usage for performance tuning [via change management]

Input to the change management system for changes to the capacity plan

Clause 6.6 Information security management Information security policy, with authority levels for approval of the information security policy

Service, statutory and regulatory requirements, and contractual obligations on information security

Communications plan for the information security policy

Information security management objectives

Information security risk acceptance criteria

Approach to be taken for the management of info. security risks [based on risk acceptance criteria]

Information security risk assessment procedure

Timetable for planned / future information security risk assessments (may be event triggered)

Actual timetable compared to planned timetable

Information security internal audit procedure

Timetable of planned / future information security internal audits (may be event triggered)

Report from risk assessments, with opportunities for improvement

Report from internal audit, with opportunities for improvement

Physical, administrative and technical information security controls

Report on compliance / conformity to all controls [are they used?]

Report on the effectiveness of the controls [are they fit for purpose?]


41

External organizations that access, use or manage the service provider’s information or services

Input from the change management process for identification of information security risks

Criteria for classification of information security incidents with guidelines for priority

Incident management logs [records]

Procedure for transfer of an information security management incident to problem management

Reports on information security incidents – types / volumes and impacts

Opportunities for improvement in information security and information security controls

Clause 7.1 Business relationship management Details of customers, users and interested parties [a broad category of individuals or groups]

Designated individual responsible for the relationship with a customer(s)

Communications mechanism to promote understanding of the customer’s business environment

Agenda and timetable for reviews of the performance of the service(s)

Report from the review with the customer

Requirements for new or changed services

Changes to service requirements input to the change management process

Proposed changes to the SLAs, as input to SLM process

Complaint management procedure, with agreed definition of a service complaint

Records of complaints

Proposed actions to resolve complaints

Input from the customer on the resolution of the complaint [before the complaint is closed]

Escalation process [or procedure] with contact details for escalation

Procedure for measuring customer satisfaction / sampling / selection method and timetable

Results of customer satisfaction measurement with identified opportunities for improvement

Clause 7.2 Supplier management Details of the supply chain of all other parties

Designated individual for management of the supplier [relationship, contract and performance]

Contracts with suppliers

SLAs that align with the service provider’s SLAs with customers

Procedure for managing disputes between service provider and supplier

Roles and relationship between lead suppliers and sub-contracted suppliers

Evidence that lead suppliers are managing the sub-contracted suppliers effectively

Evidence that sub-contracted suppliers are fulfilling their contractual obligations

Timetable for monitoring supplier [and lead supplier] performance

Report on performance monitoring, opportunities for improvement, including contract changes

Clause 8.1 Incident and service request management Incident management procedures

Service request management procedures

Guidelines for setting priority based on impact / urgency / other aspects relevant to the service

Known errors from problem management

Problem resolutions (previous)

Details of successful and failed releases (from release and deployment management process)

Progress updates for the customer, including any targets at risk or failed

Escalation procedure

Definition of a major incident

Major incident management procedure

Process or procedure for identifying and appointing a major incident manager

Evidence of the appropriate selection of a major incident manager

Major incident management alerts to top management

Major incident review after each major incident, with opportunities for improvement


42

Clause 8.2 Problem management Problem management procedure

Root causes of problems and their potential preventive action or impact avoidance

Request for change for changes to CIs for problem resolution

Problem resolutions recorded and input to incident management

Review of effectiveness of the process [input to or part of continual improvement]

Clause 9.1 Configuration management Interface between the configuration management and financial asset management process

Definition of each type of CI

Unique id and information on each CI, with risks and associated service requirements

Procedure for CI control [recording, controlling and tracking versions of CIs]

Results of verification of the CMDB

Results of audits of CMDB data

Defect report and proposed actions to correct errors in the CMDB

Report on actual corrections / corrective actions

Configuration baseline taken before deployment of a release into the live environment

Master copies of CIs (those that are in the scope of documents / records, e.g. licence records)

Input to change management on the CMDB

Updates to the CMDB following successful changes (to CIs)

Clause 9.2 Change management Interface between the emergency change and emergency release process

Change management policy defining CIs and criteria for the application of Clause 5 requirements

Change management procedure [record, classify, assess and approve]

Procedure for managing emergency changes, including the definition of an emergency change

Requests for change, including defined scope of the change and classification of the change

Input to and output from the Clause 5 process

Output from decision making on requests for change

A schedule of change and proposed deployment dates

Plans for reversal or remedying of unsuccessful changes

Test plans for reversal or remedying of unsuccessful change (if tests are possible)

Results from tests of reversal / remedying plans for unsuccessful changes

Unsuccessful change details (part of the change record)

Reports on investigation of unsuccessful changes, including proposed actions

Input to configuration management on changes deployed successfully (changes to CIs)

Reports on review of changes, with identified actions

Timetable for analysis of trends in requests for change

Results of the analysis of trends in requests for change/identified opportunities for improvement

Clause 9.3 Release and deployment management Release policy describing frequency and type of releases to be deployed

Plan for deployment of new or changed services and service components, with dates

Timetable of future releases (also input to incident management process)

Definition of an emergency release

Details of the controlled acceptance test environment for releases

Test plans for releases, including agreed acceptance criteria for each release

Test results for releases

Approval (or rejection) of release based on test results

Actions for releases that fail to meet acceptance criteria

Record of deployment of releases

Test plan for reversal or remedying of an unsuccessful deployment of a release

Results from the investigation of unsuccessful deployment of a release

Record of actions taken as the result of unsuccessful deployment of a release


43

Bibliography and other sources of information

Other handbooks will be available in 2012. They include information security, advice on the use of ITIL to achieve Part 1 requirements, governance of IT, information security and customer satisfaction management.

Other books

Jenny Dugmore and Shirley Lacy (2011) Introduction to the ISO/IEC 20000 series: IT Service Management, BSI, ISBN-13: 978 0 580 72846 4

Lynda Cooper (2011) A Guide to the new ISO/IEC 20000-1: The differences between 2005 and 2001 editions, BSI, ISBN-13: 978 0 580 72850 1

Jenny Dugmore and Shirley Lacy 2011) A Manager's Guide to Service Management, BSI (6th edition), ISBN-13: 978 0 580 72845 7

Toolkits, workbooks

Jenny Dugmore (2012) IT Service Management – Self-assessment workbook, ConnectSphere, ISBN-13: 978-1-908772-01-5

Shirley Lacy and Jenny Dugmore (2011) ITSM, ITIL® & ISO/IEC 20000 Implementation

Toolkit, IT Governance, CD

Standards

ISO/IEC 20000-1:2011, Information technology — Service management — Part 1: Service management system requirements

ISO/IEC 20000-2:2012, Information technology — Service management — Part 2: Guidance on the application of service management systems

ISO/IEC 20000-3, Information technology — Service management — Part 3: Guidance on scope definition and applicability for ISO/IEC 20000-1

ISO/IEC TR 20000-4, Information technology — Service management — Part 4: Process reference model

ISO/IEC TR 20000-5, Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1

ISO 9000:2005, Quality management systems — Fundamentals and vocabulary

ISO 9001, Quality management systems — Requirements

ISO 9004:2000, Quality management systems — Guidelines for performance improvements

ISO 10002, Quality management — Customer satisfaction — Guidelines for complaints handling in organizations

ISO 19011, Guidelines for quality and / or environmental management systems auditing

ISO/IEC 19770-1, Information technology — Software asset management — Part 1: Processes


44

ISO/IEC/IEEE 24765, Systems and software engineering — Vocabulary

ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary

ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005, Information technology — Security techniques — Information security risk management

ISO 31000, Risk management — Principles and guidelines

ITIL and other (UK Government) Cabinet office publications

Office of Government Commerce (2005) Managing Successful Projects with PRINCE2, TSO, ISBN-13: 978 0 113 30946 7

The Project Management Institute (2008) A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 4th edition, Project Management Institute, ISBN-10: 19 3069 945 X, ISBN-13: 978 1 930 69945 8

Cabinet Office ITIL Glossaries (www.best-management-practice.com/IT-Service-Management-ITIL)

Cabinet Office (2011) Service Strategy, TSO, ISBN-13: 978 0 113 31307 5

Cabinet Office (2011) Service Design, TSO, ISBN-13: 978 0 113 31305 1

Cabinet Office (2011) Service Transition, TSO, ISBN-13: 978 0 113 31306 8

Cabinet Office (2011) Service Operation, TSO, ISBN-13: 978 0 113 31307 5

Cabinet Office (2011) Continual Service Improvement, TSO, ISBN-13: 978 0 113 31308 2

Office of Government Commerce (2010) The Introduction to the ITIL Service Lifecycle, TSO, ISBN-13: 978 0 113 31062 3

COBIT, ISACA and ITGI publications

CobiT® 4.1, 2007, www.isaca.org/cobit – The CobiT framework (being updated to COBIT 5)

CobiT® User Guide for Service Managers, 2009 Implementing and Continually Improving IT Governance

ITGI Enables ISO/IEC 38500:2008 Adoption, 2009

Web addresses

www.iso.org

www.itil-officialsite.com

www.isaca.org

www.itgi.org

www.itgovernance.co.uk

http://www.iso.org/

http://www.itil-officialsite.com/

http://www.isaca.org/

http://www.itgi.org/

http://www.itgovernance.co.uk/

Date post:	05-Aug-2021
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times