ISO/IEC 20000
Service Management Implementation
Prepared by
Barclay Rae
This document describes the key elements of an ISO/IEC 20000 approach.,
1 Introduction
This document describes how organisations can analyse, assess and plan their approach to ISO/IEC 20000 accreditation.
With the global emergence of ITIL as the accepted standard for ITSM (IT Service Management), ISO/IEC 20000 has been developed as a measurable and auditable approach for IT service organisations to implement the ITIL processes and standards.
Implementing ISO/IEC 20000 is a major undertaking; both in terms of the audit process itself, and the development work that is required to ensure successful accreditation.
Details of the work required and the associated process areas are shown below in section 4.
ISO/IEC 20000 requires further independent auditors to carry out the actual accreditation, once the development work is complete. ISO/IEC 20000 specifies that auditing and consulting functions must be carried out by completely separate organisations.
Organisations should be absolutely clear on the following if they are to undertake a full ISO/IEC 20000 project:
· What business benefits they expect to achieve from ISO/IEC 20000
· Where they currently stand against the standards
· What work is required to meet the standards
· What resources, costs and time is required to carry out this work
Axios Systems provides help with all of the above, by providing highly experienced people and a structured proven approach to assist in this process as follows:
· Awareness Workshops
· Feasibility assessment of business need and benefits for ISO/IEC 20000
· Gap Analysis of the organisation against the required standards
· Detailed operational and project planning
· Project support during development work
We offer significant experience of ITSM project and implementation, plus accredited ISO/IEC 0000 consultants to provide expert knowledge and understanding of the ISO/IEC 20000 process.
2 Overview of ISO/IEC 20000
ISO/IEC 20000 has been developed to provide a structured and audited approach to implementing successful and integrated IT Service Management. This has been based upon the established guidelines for support processes as defined in the ITIL (IT Infrastructure Library) Guidelines.
ITIL has emerged since the late 1980s from a UK Government process approach to be a globally accepted set of guidelines, now established in over 60countries worldwide.
ITIL provides organisations with improved service quality, through increased control and visibility of business and service processes, greater accountability and management reporting, plus a far improved level of consistency and predictability across departments.
All of these factors provide IT organisations with the tools and standards to deliver far greater alignment of services to the organisation that they support.
The key feature to note is that all the service management processes need to be integrated – none can exist completely in isolation. As a result (and following the ITIL approach) the ISO/IEC 20000 process requires adherence to the minimum standard across all of the stated processes – there is no modular or ‘phased’ approach to achieving ISO/IEC 20000.
As a general point it should also be noted that the implementation of ISO/IEC 20000 covers all areas of IT – not just the service support and delivery areas (e.g. Helpdesks and Service Desks). The ISO/IEC 20000 approach includes some areas not directly covered in ITIL (e.g. Security), and is structured to include systems requirements and project/programme planning.
These include processes for Security, Capacity, Release, Configuration, and Change Management, as well as Service Continuity and Financial Management. As a result the implications of a ISO/IEC 20000 must be considered across the IT or Service Organisation as a whole.
ISO/IEC 20000 – key components
· The Specification (ISO/IEC 20000 – 1) is the absolute set of standards that must be attained for accreditation. (Section 4 contains a high-level summary of this)
· The Code of Practise (ISO/IEC 20000 – 2) provides a wider optional set of best practise approaches. For implementation, each organisation must decide which of these areas (general, mandatory, desired) to include in the assessment
· The Workbook (PD0015) is a means of assessing each organisations current level of service provision against the prescribed standards.
· Each organisation requires to define its own Processes and Procedures, based on the standards and specification requirements.
Most organisations looking at implementing ISO/IEC 20000 will usually have embarked on a Service Improvement Project – or will certainly need to set up a programme to support this.
Key issues to be considered are:
· Is this right for us? – are we eligible, is this a mandatory business need, will we get clear benefits
· Where do we stand currently against the standards? – how would we score and what are the current gaps that need to be filled
· What benefits do we expect from ISO/IEC 20000? – industry standing, cost and quality benefits, benefits of going through a quality programme
· What work is involved? – planning, costs, time and resources required to achieve ISO/IEC 20000 accreditation. This includes the development work and the auditing process
3 ISO/IEC 20000 DETAILS
These are the areas covered by ISO/IEC20000:
Each area in the overall structure is discussed in a separate section below:
3.1 Requirements for a management system
Objective
‘To provide a management system, including policies and a framework to enable the effective management and implementation of all IT Services’
In summary this requires that there are suitable processes and policies in place to manage IT services in line with the business needs, and that management are demonstrably committed to making them work on an ongoing basis.
Management Responsibility
· Establishment of the service management policy, objectives and plans
· Communication of the importance of meeting Service management objectives and the need for continuous improvement
· Determination of customer requirements, and ensuring that these are met with
· the aim of improving customer satisfaction
· Appointment of a manager responsible for co-ordination and management of all services
· Allocation and management of resources to plan, implement, monitor, review and improve service delivery
· Risk management of the service management organisation
· Regular reviews of the service management organisation to ensure continuing suitability, adequacy and effectiveness
Documentation
Organisations should provide documentation (in any medium) to ensure effective planning, operation and control of service management, including
· Service management policies and plans
· SLAs
· Processes and procedures as required in the standards
· Records as required in the standards
· Review procedures and responsibility for maintaining the currency of these documents
Competence, awareness and training
All service management roles and responsibilities should be defined and maintained with a skills matrix of competencies required for their successful execution. Staff competencies and training needs should be regularly reviewed for effectiveness
Management are responsible for ensuring that all staff are aware of the relevance and importance of their activities and how they contribute to the achievement of the service management objectives.
3.2 Planning and implementing Service Management
Objective
‘To plan the implementation and delivery of service management’
This should be self explanatory, although in this case the point is to ensure that all service activity is planned and managed, rather than being a reactive and ‘ad hoc’ process. Within ISO/IEC 20000 the approach is to follow a ‘Plan, Do, Check, Act’ approach.
Plan - Service Management plans should include:
· Scope of service management
· Objectives and requirements
· Processes to be executed
· Management structure, roles and responsibilities of all parties involved in the service supply chain (including 3rd parties)
· Interfaces between processes and operational activities
· Approach to risk management
· Approach to projects where services may be created or modified
· Resources, facilities and budgets
· Tools required to support processes
· Quality management and controls
Do - Implement service management and provide services by:
· Allocating funds and budgets
· Allocating roles and responsibilities
· Documenting and maintaining policies , plans and procedures for all processes
· Identifying and managing risk
· Managing and recruiting teams and staff
· Managing resources and budgets
· Managing service desk and operations teams
· Reporting progress against plans
· Co-ordinating processes
Check – Monitor, measure and review that objectives are being met
· Management should ensure that appropriate monitoring and auditing processes are in place and regularly carried out, to demonstrate how the organisation is achieving the planned results.
Regular reviews should establish:
· That the service management activities and requirements conform with the plan and the standard, and are being effectively implemented and maintained
Act – continuous improvement
There should be a policy and associated roles and responsibilities for continuous service improvement. This should be regularly reviewed and input to the service improvement plan on an ongoing basis.
Key activities:
· Collection and analysis of data to baseline and benchmark the organisation’s ability to manage and deliver service management
· Identification, planning and implementation of service improvements
· Consultation with all parties involved in the service supply chain
· Setting of targets for improvements in quality, cost and resource utilisation
· Consideration of input from all service management processes
· Measurement, reporting and communication of service improvements
· Revision of policies, plans and procedures as necessary
· Ensure delivery of all associated activities to meet objectives
3.3 Planning and implementing new or changed services
Objective
‘To ensure that new services and changes to services will be deliverable and manageable at the right cost and service quality’
This is the project and/or organisational change element in ISO/IEC 20000, whereby an organisation should ensure that any new or changed activities are carefully planned to reduce impact on business as usual and to maximise the expected service and quality benefits effectively and as soon as possible.
All new services and changes to services must be planned and approved through a formal change management process. Planning should include adequate funds and resources to meet requirements for change.
Plans should include:
· Roles and responsibilities, including customers and 3rd parties
· Any changes to the existing service management framework
· Communications planning to relevant parties
· New or changed contracts and SLAs
· Manpower and recruitment requirements
· Skills and training requirements
· Processes and tools to be used
· Budgets and timescales
· Service Acceptance criteria
· Measurable benefits/outcomes expected
New or changed services must be accepted by the service provider before being accepted into the live environment.
A post implementation review should report on the outcomes achieved and identify actual against planned results, which should be discussed with relevant parties.
3.4 Service Delivery processes
Service Delivery Processes
Service Level management
Objectives
‘To define, agree, record and manage levels of service’
Required Elements
· Documentation of agreement on service levels targets and workload between all relevant parties
· Supporting contracts and procedures, internal and external agreement should be recorded
· SLAs should be under change control and reviewed by all parties to ensure currency and effectiveness
· SLAs must be monitored and reported against targets, showing current and trend information
· Reasons for non-conformance should be reported and used as input to service improvement plans and activities
Service Reporting
Objectives
‘To produce agreed, timely, reliable, accurate reports for informed decision making and effective communication’.
Required elements
There should be a clear description of each service report including identity, purpose, audience and data sources. Reports should include:
· Performance against SLA targets
· Non-compliance and issues
· Workload characteristics
· Performance reporting against major events
· Trend information
· Customer satisfaction analysis
Availability and service continuity management
Objectives
‘To ensure that agreed obligations to customers can be met in all circumstances’.
Required elements
Requirements should be identified on the basis of business plans, SLAs and risk assessments.
Key components:
· Plans should be developed and reviewed annually
· Change management should asses the impact of any change on the availability and service continuity plan
· Availability should be recorded, including non-planned unavailability
· Should include e.g. response times, end-to-end availability
· Service continuity plans should be available when normal office access is prevented
· Service continuity plans should be tested and failures input to action plans
Budgeting and accounting for IT services
Objectives
‘To budget and account for the cost of service provision’.
Required elements summary
Clear policies and procedures should be in place for:
· Budgeting and accounting for all components, including IT assets, resources,
· overheads, 3rd party services, staff, insurance and licences
· Allocation of all indirect costs to relevant services
· Effective financial controls and authorisation
The service provides should monitor and report costs against budget and review and manage costs accordingly. Changes to services should be approved through change management.
Capacity management
Objectives
‘To ensure that the organisation has, at all times, sufficient capacity to meet the current and future agreed demands of the business’.
Required elements
A capacity plan should be maintained to address business needs and include:
· Current and predicted capacity and performance requirements
· Identified time-scales, thresholds and costs for service upgrades
· Evaluation of effects of anticipated service upgrades, Requests for change, new
· technologies and techniques on capacity
· Predicted impact of external – e.g. legislative – changes
· Data and processes to enable predictive analysis
Methods, procedures and techniques should be identified to monitor service capacity, tune service performance and provide adequate capacity.
Information security management
Objectives
‘To manage information security effectively within all service activities’.