ISO/IEC 20000: 2011
IT Service Management
WHITE PAPER

This is all contained within a quality management system which itself aligns with other pertinent standards such as ISO 9001, ISO/IEC 27001 etc.

The standard comprises several parts. Part 1 is the formal specification and details the requirements for a service management system that enables the service provider to “fulfil service requirements and provide value for both the customer and the service provider”.

Part 2 provides guidance on the application of service management systems. It describes the best practices for service management within the scope of ISO/IEC 20000-1. It provides more detail about the processes organizations should follow to achieve the requirements laid out in Part 1.

Part 3 gives guidance on scope definition and applicability of the standard. This is required to help understand the often complex supply chains involved in IT service management, particularly where many process areas and functions are outsourced.

Part 1 comprises several sections. Many of the process names will be recognized by those familiar with ITIL.

ISO 22031 covers every phase of the implementation and operation of a business continuity management system, and provides a framework that can help organisations accomplish the following:

• Scope – outlining the scope of the ISO/IEC 20000 standards.
• Terms & definitions – explaining the terminology used in the requirements.
• General requirements for a management system – Similar to other standards such as ISO 9001 and ISO/IEC27001, outlining the detailed management responsibilities, including resourcing, reporting, accountability and documentation.
• The general requirements also cover scope and process governance, documenting a formal plan for the overall management system including process integration and continual improvement.
• Design and transition of new or changed services – key to enabling the smooth implementation of new services, or major changes to existing services.
• Service delivery processes – capacity management, service level management, information security management, budgeting and accounting for IT services, service reporting and service continuity and availability management.
• Relationship Processes – supporting business relationship management and supplier management in the end to end supply chain.
• Control Processes – configuration management, change management and release and deployment management.
• Resolution Processes – incident management and problem management.

 

SO 20000 can be easily linked with ISO 90000 and ISO 27001. All these standards closely follow the principles of quality management system (Plan, Do, Check and Act). In ISO 20000, the importance of Information Security Management is detailed.

The ISO/IEC 27000 family of standards specifies requirements and provides guidance to support the implementation and operation of an information security management system. The link between ISO 20000 and standards mentioned above is strong; given the fact that almost all of the SMS clauses are similar to these standards, therefore there is likelihood to integrate these ISO’s. All these standards can either be individually implemented or with each other.

If your organization is interested in combining management systems such as: a Quality Management System (QMS) with a Service Management System (SMS), or an Information Security Management System (ISMS), it is possible if ISO 9001 (QMS) and ISO 20000 (SMS) or ISO 27001 (ISMS) are implemented simultaneously, or if QMS is implemented before SMS, respectively ISMS.

Some of the key business benefits of adopting the ISO 22301:

• Provides the ability to manage suppliers effectively
• Manages the relationship with vendors through notable service level management
• Gives assurance that IT services meet the needs of the client
• Awareness and accountability of staff
• Allows companies to manage their IT through the service supply chain
• Enables faster and effective transition of IT services
• Demonstrates service reliability and consistency
• It boosts reputation and strengthens relationships with key stakeholders
• Provides a common framework for staff training and career development
• Reduces the risk, cost and time to market new products and services
• Increases the confidence of clients, business partners and other stakeholders when working with an organization that possesses ISO/IEC 20000
• Provides a competitive advantage of differentiation for the organization
• Enables better automation of IT service management processes
• Assists satisfaction of requirements of customer and/or other stakeholders
• Consolidates confidence of customers, suppliers and partners of the organization
• Complies with national, regional and international laws and regulations

The usual path for an organization that wishes to be certified against ISO 20000-1 is the following:

1. Implementation of the management system:

Before being audited, a management system must be in operation for some time. Usually, the minimum time required by the certification bodies is 3 months.

2. Internal audit and review by top management:

Before a management system can be certified, it must have had at least one internal audit report and one management review.

3. Selection of the certification body (registrar):

Each organization can select the certification body (registrar) of its choice

4. Pre-assessment audit (optional):

An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard

5. Stage 1 audit:

A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard(s) and the objectives of the organization. It is recommended that at least some portion of the Stage 1 audit should be performed on-site at the organization’s premises.

6. Stage 2 audit (On-site visit):

The Stage 2 audit objective is to evaluate whether the declared manage - ment system conforms to all requirements of the standard, is actually being implemented in the organi - zation and can support the organization in achieving its objectives. Stage 2 takes place at the site(s) of the organization’s sites(s) where the management system is implemented.

7. Follow-up audit (optional):

If the auditee has non-conformities that require additional audit before be - ing certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non- conformities (usually one day).

8. Confirmation of registration:

If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate.

9. Continual improvement and surveillance audits:

Once an organization is registered, surveillance activi - ties are conducted by the Certification Body to ensure that the management system still complies with the standard. The surveillance activities must include on-site visits (at least 1 per year) that allow veri - fying the conformity of the certified client’s management system and can also include: investigations following a complaint, review of a website, a written request for follow-up, etc