An Introduction to ISO/IEC 20000:2011 ISO/IEC 20000:2011 ISO/IEC 20000:2011 Process Model Building upon ITIL What are the Benefits of ISO/IEC 20000? The Certification Process Where can I find out more? ISO/IEC 20000:2011 ISO/IEC 20000 is the international standard for IT Service Management (derived from the British Standard BS 15000) which builds upon the IT Infrastructure Library (ITIL) guidelines for best practice service management. The edition referred to here was published in May 2011 and although is formally known as ISO/IEC 20000:2011, it is also more commonly known as ISO 20000. ISO/IEC 20000 consists of two main parts: ISO/ IEC 20000-1:2011 Information technology – Service management, Part I: Service management system requirements This element of the standard consists of mandatory statements that define the elements of the standard. The core process groupings are: Service management system general requirements Design and transition of new or changed services Service delivery processes Relationship processes Resolution processes Control processes ISO/ IEC 20000-2:2012 Information technology – Service management, Part 2: Guidance on the application of service management systems This element consists of information that will assist organisations that are to be audited or are simply aiming to improve their IT service management. There are further supporting elements that are also available (as at April 2016) and these are as follows: ISO/IEC 20000-3:2012 – Guidance on scope definition and applicability of ISO/IEC 20000-1 ISO/IEC 20000-4:2010 – Process reference model ISO/IEC 20000-5:2013 – Exemplar implementation plan for ISO/IEC 20000-1 ISO/IEC 20000-9:2015 – Guidance on the application of ISO/IEC 20000-1 to cloud services ISO/IEC 20000-10:2013 – Concepts and terminology The standard provides senior business and IT managers with a method of measuring the effectiveness and efficiency of the IT service operation, assuring compliance and governance. Part 1 contains the mandatory aspects that are required to be fulfilled if an organisation is to achieve the certification. An organisation will have to show evidence that not only are all of the processes and policies in place, but that the processes are being operated on a day-to-day, business-as-usual basis. Typically, organisations will have to show an auditor three months’ worth of evidence to support the operation of the processes. ISO/IEC 20000:2011 Process Model The process names referred to in ISO/IEC 20000:2011 are aligned with those described in the ITIL version 3 2011 edition publications, with the following exceptions: The ITIL Financial Management process is named “Budgeting and accounting for services” because ‘charging’ is an optional activity within ITIL, and ISO/IEC 20000:2011 only deals with the mandatory aspects of financial management activities. If an organisation is performing charging activities then that is fine, but the organisation will not be audited on those activities. ISO/IEC 20000:2011 deals with “Service continuity and availability management” as a single topic; they are dealt with separately within ITIL and FoxPRISM. ISO/IEC 20000:2011 deals with “Incident and service request management” as a single topic; they are dealt with separately within ITIL and FoxPRISM, in which Service Request Management is referred to as Request Fulfilment. Organisations that are certified to the ISO/IEC 27001 standard will meet most of the requirements for the ISO/IEC 20001:2011 Information Security Management process but there are some differences which will still need to be audited, for example the requirements for the assessment of requests for change via Change Management and the requirement to use the Incident Management procedures for managing security incidents. The Service Management System and its clauses sit above the processes to provide a controlled management environment. The following clauses are closely aligned to both the ISO 9001 and ISO/IEC 27001 standards and enable integrated management systems: Clause 4.1 – Management responsibility Clause 4.3 – Documentation management Clause 4.4 – Resource management Clause 4.5.4 – Monitor and review the SMS Building upon ITIL ISO/IEC 20000 is aligned with the ITIL best practice guidelines. Any organisation that has implemented the ITIL guidelines will satisfy many of the requirements of the standard. ITIL is comprised of five publications as shown below; click on one of the book covers to find out more details about that particular book. Service Strategy Service Design Service Transition Service Operation Continual Service Improvement What are the Benefits of ISO/IEC 20000 Developing an ISO/IEC 20000 standard compliant IT service organisation will take time and will often lead to some organisational change, however some of the benefits of having a proven, conformant best practice IT service provision are: A more competitive business. IS/IT strategy aligned with the overall business strategy. More effective risk management and a reduction in risk. More effective cost management and a potential reduction in costs. Faster time to implement change. Improved reliability and availability of services, leading to improved customer satisfaction. Suppliers and partners will become more integrated and service focused. Possibility of benchmarking with other organisations. The Certification Process Once an organisation has decided that they wish to attain the ISO/IEC 20000 certificate, they should engage with a Registered Certification Body (RCB). The RCB will be able to work with the organisation in defining what the scope of the certificate will be; this is an important stage as it may be that the organisation is not suitable or eligible for the certificate. The scope will also help dictate the work that will need to take place prior to the RCB attending to perform a formal audit. Depending upon the scope of the certificate and the size of the organisation, the auditors will likely spend 2 or 3 days in the organisation looking at the processes and the operation of the processes, and the relevant supporting evidence. The auditors will then likely spend 1 or 2 days off-site looking at documentation in more detail, before returning to the organisation to confirm achievement of the standard or not. If the standard has not been achieved, deficient areas will be highlighted and the organisation will be given a period of time to implement the appropriate improvements before the auditors return to review the improvements that have been made. A certificate, once granted, is valid for a period of three years. The RCB will perform interim audits on an annual basis, but will then perform a full audit at the end of three years. Where Can I find out more? Copies of the standard, and the supporting material, can be purchased via the BSI Group web-site. Click here for the itSMF UK website. Click here for APMG International’s ISO/IEC 20000 website which provides more information on ISO/IEC 20000 certification and qualifications.