ISO20000 Document

Understanding ISO/IEC 20000-1:2011 Presentation Slides

ITS01001ENUS v2.1 June 2013 © The British Standards Institution 2012 1

Copyright © 2012 BSI. All rights reserved. V2.1 June 2013

ITS-010-01-ENUS

Understanding ISO/IEC 20000-1:2011 IT - Service Management

Copyright © 2012 BSI. All rights reserved. 2

Welcome!

• Safety - be aware of emergency exits

• Restroom and Telephones - nearest locations

• Contact Number - for urgent messages

• Personal Property - keep possessions secure

• Phones and Pagers - please avoid interruptions

• Recording Devices - not allowed in class

• Lunch and Breaks - please return on time

• Smoking - not permitted in the classroom




Student Introductions

• Student Name

• Company and Product/Service

• Job Position

• Knowledge of ISO/IEC 20000 (scale of 1-10)

• Course Expectations


ITS-010-01-ENUS

Fundamentals of IT Service Management and the ISO/IEC 20000 Series




Learning Objectives

• Explain the management system framework • Understand the purpose of ISO/IEC 20000-1:2011 • Understand the role of service management processes • Understand the primary requirements of ISO/IEC 20000-

1:2011 and how they apply to IT service management systems


Service Management

Service management is defined as the:

Set of capabilities and processes to direct and control the service provider’s activities and resources for the design, transition, delivery and improvement of services to fulfill

service requirements

3.30, ISO/IEC 20000-1:2011




ISO/IEC 20000 Series of Standards

ISO/IEC 20000-1:2011 Service management system requirements

ISO/IEC 20000-2:2012 Guidance on the Application of Service

Management Systems

ISO/IEC 20000-3:2012 Guidance on scope definitions and applicability of ISO/IEC 20000-1

ISO/IEC TR 20000-4:2010

Process reference model

ISO/IEC TR 20000-5:2010

Exemplar implementation plan for ISO/IEC 20000-1


Objectives of ISO/IEC 20000-1:2011

To improve the overall delivery of your business by improving the delivery of IT services

To promote the adoption of an integrated process approach to deliver managed services to meet the business and customer requirements

To help coordinate integration and implementation of the service management processes . Provides ongoing control, greater efficiency and opportunities for continual improvement

To enable the organization generate revenue or be cost effective via professional service management




The Overall Purpose

• Move from investing in technology to develop services to managing the quality of these systems and services

• Ensure cost effective service delivery

• Offer internationally accepted guidance, best practices, and standards

• Transform IT departments from reacting to business requirements to become an integral and proactive part of the business


Outcomes

• Provides control, greater efficiency and opportunities for improvement

• Turn technology focused departments into ones with a service focus

• Ensure IT services are aligned with and satisfy business needs

• Improve system reliability and availability

• Provide a basis to agree levels of service and the ability to measure IT service quality

• Help establish the true cost of IT




SMS Documents

Process definition

Certification ISO/IEC 20000-1 Specification for Service Management

ISO/IEC 20000-2 Guidance on the Application of Service Management Systems

BIP 0005 Management Guidance Booklet and PD 0015 IT Service Management Self-assessment workbook

All based on foundation of the IT Infrastructure Library. The only

comprehensive documentation of best practice for Service Management

FOUNDATION


Standard’s Fit

ISO/IEC 20000:2011

ISO 9001:2008

ISO/IEC 27001:2005 & ISO/IEC 27002:2005




ITS-010-01-ENUS

ISO/IEC 20000-1:2011 and ITIL


ISO/IEC 20000:2011 and ITIL




ISO/IEC 20000 and ITIL Relationship

• ITIL and ISO/IEC 20000 serve different purposes:

• ISO/IEC 20000 provides a management system suitable for independent certification by an organization

• ITIL provides best practices in IT Service Management and provides certification to individuals.

It is not a requirement to adopt ITIL to achieve compliance with ISO/IEC 20000, but it will make it much easier and more robust.


ITS-010-01-ENUS

Overview of ISO/IEC 20000-1:2011




Introduction

• ISO/IEC 20000-1 requires an integrated process approach when planning, establishing, implementing, operating, monitoring, reviewing, maintaining and improving a SMS

• Plan – Do – Check – Act to be applied to all parts of the SMS and its services


Process Approach

A process is a set of interrelated or interacting activities that uses resources to transform inputs into outputs

The process approach systematically identifies and manages the linkage, combination, and interaction of a system of processes within an organization

ISO/IEC 20000-1 is based on a process approach to service management




Process Approach

The process approach emphasizes the importance of:

• Understanding and meeting service requirements

• Establishing policy and objectives for service management

• Design and deliver services that add value to the customer

• Obtaining results of SMS and service performance

• Continual improvement of SMS and services


PDCA Model




Policy and Objectives

• Policy and objectives are established to:

• Give focus to direct the organization

• Determine the desired results

• Assist in applying the resources

• Policy is the framework for the objectives

• Objectives are measureable targets

Meeting the objectives has a positive impact on service quality and customer satisfaction


Service management system




Management System Evaluation

• System processes need to be evaluated, are the:

• Processes appropriately defined?

• Authorities and responsibilities assigned?

• Processes implemented and maintained?

• Processes achieving desired results?

• System evaluations include:

• Audits

• Management reviews


Continual Improvement

• Set targets for improvements

• Implement approved improvements

• Revise service management documentation

• Measure implemented improvement against targets

• Where targets not achieved, take action

• Report on implemented improvements




ITS-010-01-ENUS

Requirements

ISO/IEC 20000-1:2011


1. Scope

ISO/IEC 20000-1 may be used by:

• Businesses that tender their services

• Businesses that require a consistent approach by all service providers in a chain

• Service providers as a benchmarking tool

• Organizations requiring independent assessment of IT service management

• Organizations the need to demonstrate the ability to provide services that meet customer requirements

• Organizations that aim to improve service




1.2 Application

• Requirements are generic – applies to any organization

• Exclusion of any requirement in clauses 4-9 not acceptable

• Requirements of clause 4 must be met by the service provider – not by other parties

• Clauses 5-9 can be fulfilled by other parties


2. Normative references

• None currently cited

• Clause is included for upcoming release of ISO/IEC 20000-2;

• Guidance on the application of service management systems.




3. Terms and Definitions

Availability

Ability of a component or service to perform its required function at a stated instant or over a stated period of time

Configuration Item (CI)

Element that needs to be controlled in order to deliver a service or services

Document Information and its supporting medium



Incident Unplanned interruption to a service, a reduction in the quality of a service or an event that has not yet impacted the service to the customer

Problem Root cause of one or more incidents

Record Document stating results achieved or providing evidence of activities performed





Release Collection of one or more new and/or changed configuration items deployed into the live environment as a result of one or more changes

Request for Change

Proposal for a change to be made to a service, service component or the service management system

Service Level Agreement (SLA)

Documented agreement between the service provider and customer that identifies the services and service targets


ITS-010-01-ENUS

4. Service Management System General Requirements

Note: SMS = Service Management System




Requirements

Please note:

Requirements stated in the following slides are paraphrased and are not all-inclusive

The slides contain high level requirements in order to provide an understanding of the standard

Please consult the standard directly for definitive requirements


4.1 Service Management System General Requirements

4.1 Management responsibility

4.2 Governance of processes operated by other parties

4.3 Documentation management

4.4 Resource management

4.5 Establish and improve the SMS




4.1.1 Management commitment

• Establish scope, policy and objectives

• Create the service management plan

• Communicate importance of meeting service requirements

• Communicate importance of meeting legal requirements

• Ensure provision of resources

• Conduct management reviews at planned intervals

• Ensure risks to services is assessed and managed


4.1.2 Service management policy

• Appropriate to the organization

• Commitment to meet service requirements

• Continually improve the SMS and services

• Establish a framework for SM objectives

• Be communicated and understood by SM personnel

• Be reviewed for continuing suitability




4.1.3 Authority, responsibility and communication

• SM authorities and responsibilities are defined and maintained

• Documented procedures for communication are established


4.1.4 Management representative

Member of management who shall:

• Ensure activities are performed to identify, document and fulfill requirements

• Assign authorities and responsibilities

• Ensure service management processes are integrated

• Ensuring assets used to deliver services are managed

• Report performance and improvements to top management




4.2 Governance of processes operated by other parties

• Must identify processes or parts operated by other parties

• Can be internal groups, customer or supplier

• Governance demonstrated by

• Showing accountability for the process

• Controlling the process definition

• Determining process performance

• Controlling the planning of improvements

• Suppliers managed through supplier management

• Internal groups/customers controlled through service level management


4.3.1 Establish and maintain documents

• Must maintain documents and records to include:

• Policy and objectives

• Service management plan

• Policies and procedures specified in this standard

• Service catalog

• SLAs

• Service management processes

• Procedures and records required by this standard

• Documents determined by the service provider as necessary to ensure control of the SMS and delivery of services




4.3.2 Control of documents

Documents needed by the SMS must be controlled. A documented procedure will define controls to:

• Create and approve documents

• Review and maintain documents

• Ensure current revisions are identified

• Ensure relevant versions are available at point of use

• Prevent unintended use of obsolete documents


4.3.3 Control of records

Records are kept as evidence of conformity to requirements

A documented procedure will define controls needed for:

• Identification

• Storage

• Protection

• Retrieval

• Retention

• Disposal




4.4.1 Provision of resources

Service provider must determine and provide human, technical, information and financial resources to:

• Establish, implement and maintain the SMS and services

• Enhance customer satisfaction


4.4.2 Human resources

Personnel performing work affecting conformity to service requirements must be competent. The service provider shall:

• Determine competencies

• Where applicable, provide training to achieve competence

• Evaluate effectiveness of actions taken

• Ensure personnel are aware of importance of their contribution to achieving SM objectives

• Maintain records of education, training, skills and experience




4.5.1 Define scope

• Define and include scope in the service management plan.

• Defined by name of organizational unit providing services and services delivered


4.5.2 Plan the SMS (Plan)

SM plans must contain or reference:

• Scope of SM

• Objectives to be achieved and requirements to be met

• Approach taken for management of risks and criteria for accepting risk

• Framework of management roles and responsibilities

• Interfaces between SM processes

• How effectiveness of the SMS will be measured, audited, reported and improved




4.5.3 Implement and operate the SMS (Do)

• Allocating funds and budgets

• Allocating authorities, responsibilities and process roles

• Management of human, technical and information resources

• Identifying, assessing and managing risks to the service

• Management of service management processes

• Managing and reporting on performance


4.5.4 Monitor and review the SMS (Check)

• Objectives of internal audits and management reviews must be documented. Results of internal audits and management reviews must be recorded.

• Internal audits conducted at planned intervals.

• Documented procedure for internal audits

• Management reviews conducted at planned intervals must be recorded and cover:

• Customer feedback

• Risks

• Results and follow-up from previous management reviews




4.5.5 Maintain and improve the SMS (Act)

• Documented policy on continual improvement

• Documented procedure for approving, managing and measuring improvements

• Opportunities for improvement must be documented

• Causes of nonconformities must be corrected

• Corrective actions performed to prevent recurrence

• Preventive actions performed to prevent occurrence

• Set targets for improvements

• Ensure improvements achieve desired results


ITS-010-01-ENUS

5. Design and transition of new or changed services





5. Design and transition of new or changed services

5.1 General

5.2 Plan new or changed services

5.3 Design and development of new or changed services

5.4 Transition of new or changed services


5.1 General

• This process used where new/changed services have the potential to have a major impact on services or customer

• Changes determined by change management policy

• Assessment, approval and scheduling through change management process

• Cis affected by new/changed service controlled through configuration management process




5.2 Plan new or changed services

• New/changed services must be planned to fulfill service requirements

• Planning must be agreed with the customer

• Planning shall contain or reference:

• Authorities and responsibilities for design, development and transition

• Human, technical, information and financial resources

• Identification, assessment and management of risk

• Testing required

• Expected outcomes in measureable terms


5.3 Design and development of new or changed services

• New/changed services must be documented to include:

• Authorities and responsibilities for delivery of new service

• Activities performed by service provider, customer or others

• New/changed technology to support the service

• New/changed plans and policies

• New/changed SLAs

• Updates to the service catalog




5.4 Transition of new or changed services

• New/changed services must be tested

• Verified against acceptance criteria agreed between the service provider and interested parties

• Release and deployment process used to deploy the change

• Following transition, service provider must report on outcome achieved against expected outcomes


ITS-010-01-ENUS

6. Service delivery processes





6. Service delivery processes

6.1 Service level management

6.2 Service reporting

6.3 Service continuity and availability management

6.4 Budgeting and accounting for services

6.5 Capacity management

6.6 Information security management


6.1 Service level management

• Service catalog must be documented and agreed with customer

• Each service provided, SLAs shall be agreed with the customer and documented

• Services and SLAs must be reviewed with customer at planned intervals

• Changes to SLAs, catalog or requirements are controlled through change management

• For service components provided by an internal group, the service provider must maintain a documented agreement




6.2 Service reporting

• The description, purpose, audience frequency and data sources for reports must be agreed by interested parties

• Produce service reports for the delivery of services and the SMS including:

• Performance against targets

• Information on major incidents, deployments and invocation of the service continuity plan

• Detected nonconformities

• Trend information

• Customer satisfaction


6.3.1 Service continuity and availability requirements

• Must assess and document risks to service continuity and availability of services

• Continuity and availability requirements must be agreed with the customer and interested parties. These shall include at least:

• Access rights to services

• Service response times

• End to end availability of services




6.3.2 Service continuity and availability plans

• Service continuity and availability plans must be created, implemented and maintained

• Changes to plans controlled through change management

• Service continuity plans, contact lists and the CMDB must be accessible when access to normal locations is prevented

• Availability plans must include availability requirements and targets

• Requests for change must be assessed for impact on service continuity and availability plans


6.3.3 Service continuity and availability monitoring and testing

• Availability must be monitored and results recorded

• Unplanned non-availability must be investigated and actions taken

• Service continuity and availability plans must be tested against requirements

• Plans must be re-tested after major changes to environment

• Results of tests must be recorded

• Reviews must be conducted after each test and action taken where deficiencies are found




6.4 Budgeting and accounting for services

Organization must have documented policies and procedures for:

• Budgeting and accounting for service components

• Apportioning indirect costs / allocating direct costs to provide an overall cost for each service

• Effective financial control and authorization

• Monitor and report costs against budget

• Provide information to change management for costing requests for change


6.5 Capacity management

• Identify and agree capacity and performance requirements with the customer and interested parties

• Create and maintain a capacity plan

• Changes to plan controlled through change management

• Plan to include at least:

• Current and forecast demand for services

• Timescales, thresholds and costs for upgrades

• Potential impact of legal changes

• Potential impact of new technologies or techniques




6.6.1 Information security policy

• Management with proper authority must approve an information security policy. Management shall:

• Communicate policy to all relevant personnel , customers and suppliers

• Ensure information security objectives are established

• Define approach for managing security risks and criteria for accepting risks

• Ensure information security risk assessments are conducted at planned intervals

• Ensure internal information security audits are conducted

• Ensure audit results are reviewed and acted upon.


6.6.2 Information security controls

• Information security controls must be documented and include the risks to which the controls relate

• Review the effectiveness of controls

• Identify external organizations with a need to access, use or manage the service provider’s information or services

• Controls for external organizations must be agreed and documented




6.6.3 Information security changes and incidents

• Requests for change must be assessed to:

• Identify new or changed information security risks

• Identify potential impact on existing policy and controls

• Incidents are managed according to a procedure

• Service provider shall analyze types, volumes and impacts of information security incidents

• Information security incidents shall be reported and reviewed


ITS-010-01-ENUS

7. Relationship Processes




7. Relationship Processes

7.1 Business relationship management

7.2 Supplier relationship


7.1 Business relationship management

• Service provider must:

• Identify and document customers, users and interested parties of the services

• Provide an individual for each customer to manage the relationship

• Review performance of services with customer at planned intervals

• Agree with customer on definition of a formal service complaint

• Document a procedure for managing complaints




7.2 Supplier management

• Service provider may use suppliers to implement and operate some parts of the service management processes

• Each supplier shall have a designated supplier manager

• The service provider and supplier shall agree to and document a contract and controlled by change management

• Roles and relationships between lead and sub-contracted suppliers must be documented

• Service provider shall monitor supplier performance at planned intervals and record results


ITS-010-01-ENUS

8. Resolution Processes




8. Resolution processes

8.1 Incident and service management request management

8.2 Problem management


8.1 Incident and service request management

• Documented procedure for all incidents to define recording, priority, classification, update, escalation, resolution and closure

• Documented procedure for service requests

• Personnel in incident and service request management must have access to relevant information

• Document and agree with customer on definition of a major incident

• Top management must be informed of all major incidents




8.2 Problem management

• Documented procedure to identify problems and minimize or avoid impact of incidents

• Analyze data and trends of incidents and problems

• Problems requiring changes to a CI must be controlled by raising a request for change

• Known errors shall be recorded

• The effectiveness of problem resolutions shall be monitored, reviewed and reported


ITS-010-01-ENUS

9. Control Processes




9. Control processes

9.1 Configuration management

9.2 Change management

9.3 Release and deployment management


9.1 Configuration management

• Document a procedure for each type of CI

• Cis must be uniquely identified and recorded in the CMDB

• Document a procedure to record, control and track Cis

• CMDB records shall be audited at planned intervals

• Information from the CMDB shall be provided to the change management process

• A configuration baseline shall be taken prior to deployment

• Master copies of Cis must be stored in secure libraries and include documentation and license information




9.2 Change management

• Document a change management policy

• Document a procedure to record, classify, assess and approve requests for change

• Document and agree with the customer a definition for an emergency change

• Document an emergency change procedure

• All changes to a service or service component must be raised using a request for change

• The CMDB shall be updated following successful deployment


9.3 Release and deployment management

• Establish and agree with customer a release policy

• Plan new/changed service deployment with the customer

• Document and agree with customer the definition of an emergency release

• Emergency releases managed to a documented procedure

• Release shall be tested in a controlled test environment prior to deployment

• Acceptance criteria shall be agreed with the customer

• Activities to reverse or remediate a release shall be planned




ITS-010-01-ENUS

Summary


Summary and Questions?

• Purpose and benefits of ISO/IEC 20000-1:2011

• Purpose of ISO 20000 standards

• Overview of the Management system

• Process approach and PDCA

• Management responsibilities

• Documentation requirements

• Service management processes




Contact Information

Address: BSI Group America, Inc.

12110 Sunset Hills Road Suite 200

Reston, VA 20190-5902

Telephone: 1 (888) 429-6178

Fax: 1 (703) 437-9001

Email: [email protected]

Web www.bsiamerica.com


ITS-010-01-ENUS

Thank you for participating!

ISO/IEC 20000-1:2011 Understanding

