I S O / I E C 2 0 0 0 0 C E RT I F I C AT I O N AND
I M P L E M E N TAT I O N G U I D E
Standard Introduction, Tips for Successful ISO/IEC 20000 Certification, FAQs, Mapping Responsibilities, Terms, Definitions and ISO 2000 Acronyms
Notice of Rights: Copyright © The Art of Service. All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability: The information in this book is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks: Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.
1
WRITE A REVIEW & RECEIVE A BONUS EMEREO EBOOK OF YOUR CHOICE: UP TO $99 RRP FREE! If you recently bought this book we would love to hear from you! Submit a review of this purchase and you’ll receive an additional free eBook of your choice from our catalog at http://www.emereo.org. How Does it Work? Submit your review of this title via the online store where you purchased it. For example, to post a review on Amazon, just log in to your account and click on the Create Your Own Review button (under Customer Reviews) on the relevant product page (you’ll find plenty of example product reviews on Amazon). If you purchased from a different online store, simply follow their procedures. What Happens When I Submit my Review? Once you have submitted your review, send us an email via
[email protected], and include a link to your review and a link to the free eBook you’d like as our thank-you (from http://www.emereo.org – choose any book you like from the catalog, up to $99 RRP). You will then receive a reply email back from us, complete with your bonus eBook download link. It's that simple.
2
TA B L E O F C O N T E N T S ISO/IEC 20000 Certification and Implementation Guide ........................ 1 Write a Review & Receive a Bonus Emereo eBook of Your Choice: Up to $99 RRP FREE! ................................................................................... 2 Table of Contents ..................................................................................... 3 ISO 20000 Implementation ...................................................................... 7 How to Approach ISO 20000 ............................................................... 8 Myths of ISO 20000 ............................................................................ 10 So Why Bother? .................................................................................. 11 Avoiding Issues ................................................................................... 12 Management ....................................................................................... 13 Obvious? ............................................................................................. 14 Still Facing Resistance ....................................................................... 16 Understand the Threat ........................................................................ 17 Strength in Numbers ........................................................................... 18 Watch out for Hazards........................................................................ 19 3
Misunderstanding? ............................................................................. 20 Need a Coach? ................................................................................... 21 Poorly Written Procedures ................................................................. 23 Poorly Written Procedures (continued) ............................................. 24 Poorly Written Procedures (continued) ............................................. 25 Documentation ................................................................................... 26 ‘Special’ Departments ........................................................................ 27 How to Deal With It? .......................................................................... 28 Steering Teams ................................................................................... 29 Keep the Momentum ........................................................................... 31 Celebrate Progress ............................................................................. 32 Usual Suspects .................................................................................... 33 Prepare for Audit................................................................................ 34 Prepare for Audit (continued) ............................................................ 35 Going the Distance ............................................................................. 36
4
Make it Simple .................................................................................... 37 Management Review........................................................................... 38 Internal Audits .................................................................................... 39 Other Tips for Maintaining Success ................................................... 40 Other Tips for Maintaining Success (continued) ................................ 41 Roles & Responsibilities ..................................................................... 42 Certification Process .......................................................................... 43 Accredited Program Providers........................................................... 45 After the Certification – What Happens Next? ................................... 46 ISO/IEC 20000 Certification .............................................................. 48 Personal Certification ........................................................................ 49 Qualification Scheme.......................................................................... 50 Mapping Responsibilities: Understanding ‘Who Does What’ ............... 51 Techniques .......................................................................................... 52 RACI Matrices .................................................................................... 59
5
Tips for Successful ISO/IEC 20000 Certification Summary .................. 63 ISO/IEC 20000 Frequently Asked Questions ......................................... 65 Terms and Definitions Associated with ISO 20000 ............................... 83 List of Acronyms Associated with ISO 20000 ....................................... 90 Further Reading ...................................................................................... 95
6
I S O 2 0 0 0 0 I M P L E M E N TAT I O N
ISO 20000 Implementation
Tips & Techniques
The aim of ISO 20000 – inherited from BS 15000 – is to ‘provide a common reference standard for any enterprise offering IT services to internal or external customers’. Given the importance of communication in Service Management, one of the most important targets of the standard is to create a common terminology for service providers, their suppliers and their customers.
7
How to Approach ISO 20000
How to approach ISO 20000 • • • • • •
If it works don’t fix it – this is not about perfection. Run a process improvement project Establish process management Integrate with ISO 9001/ISO 27001 Engage your assessor early Map organization & processes to ISO 20000
Plan to fill gaps Identify who needs to know what
•
Get process owners allocated and briefed
ISO 20000 & ITIL Foundation
• • •
Assessors & Implementers – train as ISO 20000 consultants Common repository Assessment – How comfortable are people with assessment
If there are effective processes in place that meet ISO 20000 then stick with them. Continual improvement will follow. •
Appoint a project manager – as with any project it is important to a single individual to take responsibility.
•
Use existing quality functions and integrate with ISO 9000.
•
ISO 20000 Lead Assessor training is now available.
•
Engage with your assessor early as you need to understand how they work and ensure they have the relevant qualifications.
•
Establish process development & deployment process: review, update, deploy, audit and improve.
•
Common repository ideally accessible online
8
•
Assessment – How comfortable are people with assessment. If people have not been though an ISO 9000 assessment before then they may need coaching on how to handle audits and what is expected.
9
Myths of ISO 20000
Myths of ISO 20000 1. I need to know all about ITIL to get ISO 20000 2. Getting the ISO 20000 Certificate is the end game 3. My organization will have to start from scratch
1. You can obtain ISO 20000 without knowing anything about ITIL. However, this would be a missed opportunity. 2. No, getting the ISO 20000 certificate is just a stop on the service improvement journey driven by ISO 20000 requirements. 3. Certainly not, your organization is probably doing a lot of what ISO 20000 requires. The processes need to be implemented into your current environment, not the other way around.
10
So Why Bother?
So why bother? • • • • • • •
Common approach to service management By product of process & service improvement Needed to recognize industry best practice ITIL increasingly recognized internationally Accredited assessment scheme Marketplace demand increasing Market advantage
Other examples of benefits ISO 20000 can bring relate to specific issues experienced by organizations worldwide e.g. •
Reduced duplication of process development effort
•
To improve the transfer of staff across accounts and functions
•
Provide a common framework for driving improvement
•
Provide a common vocabulary & approach
•
Tangible returns - reduced cost of ownership, improved service levels
•
Staff have industry recognized qualifications
•
Service Management recognized as a valuable role
•
Clients assured by a certified and industry best practice approach. 11
Avoiding Issues
Avoiding issues • Without clear and reliable guidance people are generally reluctant to commit to change. • No body wants to jump into a cold and unknown waters! • Management must make sure the water is warm and welcoming.
Successful implementation depends on Management getting involved from the outset. Staff are generally reluctant to see changes taking in place in their working environment, especially when it involves taking on a new and unknown standard. If managers commit to the project and make their commitment visible, it sends a message that change is occurring from the top. This instills confidence, a sense of urgency and credibility to the changes.
12
Management
Management So Management need to lead by example. They need to be the first to: • • • •
Learn about ISO 20000 Planning the project and assigning responsibilities Make their commitment visible by providing resources Rewarding participation in the ISO project
Management commitment is an intangible concept. Compliance to the management responsibility requirements can be shown by documented leadership and actions for the development, implementation and improvement of its Service Management capability.
13
Obvious?
Obvious? These points may seem obvious but the ISO 20000 registrar named:
Management buy-in and support as the major obstacle faced by organizations who are attempting to implement ISO 20000.
Commitment of top management is indispensable for the successful implementation of ISO 20000. Leadership is one of the eight quality management principles that stem from ISO 9000. Documents that could demonstrate management commitment are: •
Records of the appointment of a member of management responsible for the co-ordination and management of all services.
•
Written Service Management policy, objectives and plans
•
Plan implementation results
•
Communication records
•
Documentation of customer requirements, records or customer satisfaction measurements 14
•
Records of resource determination
•
Records of Service Management review such as review meeting minutes, action plans and follow-ups.
15
Still Facing Resistance
Still facing resistance Staff need reassurance that there are benefits and light at the end of the tunnel. They need to know : • • • • •
Why is ISO important to this company? What difference will it make? How will it make my job easier? How will it change my job? What will stay the same?
Before any organizational change, it is essential that benefits are explained to all parties involved to gain support, to make the transition as easy and as successful as possible. Strong leadership is required. Another crucial aspect to consider is the cultural aspect of change. When a Service Improvement plan is implemented the focus can often be on the new or changing organizational structure and the new technology. Attention also needs to be paid to the cultural change by; determining the existing culture, identifying supportive behaviors and changing undesirable culture.
16
Understand the Threat
Understand the Threat Understanding that staff feel threatened is half the battle. They have specific questions that relate to their own job role, responsibility and • If I document everything I do, will I still have value? • What does corrective action mean? It sounds like I am in trouble. • Someone is going to audit my performance? All of a sudden you feel the need to check up on me?
Stakeholders, including customers and employees, must understand how they will benefit from more mature IT management, and why certain changes and measures are being planned. This awareness helps to remove the resistance to changes in established working practices. Underlying Principle: Everybody goes through the different states before embedding the change. Awareness and education prepare the people for the resistance that everybody will be going through. Think about changes that have occurred in your workplace and how you felt during these times. 17
Strength in Numbers
Strength in Numbers To remove the threat, involve employees in the development process (and explain why decisions are being made): • To modify or develop processes to meet the standard use the people that are currently involved in the process. • Train all staff on the corrective action and internal audits; emphasize the focus on improving the process.
When creating competence, awareness and training, three quality management principles apply: Leadership: The ability of an individual to influence, motivate and enable others to contribute toward effectiveness and success of the organizations of which they are members. Involvement of People: People’s special talents have to be recognized and made use of for the organization’s benefit. Continual Improvement: The competence and awareness of people have to be developed and enhanced continually.
18
Watch out for Hazards
Watch out for hazards There may be hazards along the way. This is a new standard for the company, so it is essential that everyone has sufficient knowledge and understanding to perform their role effectively. The company should provide: • General introduction training for all staff into the ISO 20000 • Consider more advanced training for the project manager and other people in charge of driving the project.
When organizing employees, the focus should not only be on obtaining a good match between the required and available competence, but also on the opportunities to develop competence, transfer expertise and learn skills. Mentors or coaches may support employees. Setting up skills groups can also support the exchange of experience and encourage the development of new competence.
19
Misunderstanding?
Misunderstanding? It is also essential that all relevant parties have a clear understanding of Parts 1 and 2 of the ISO 20000 standard. Misinterpretation of the Standard can lead to wasted time and effort while: • Redesign processes numerous times • Over implementing the standard • Uncovering major nonconformance during audit, delaying your certification.
The ISO 20000 standard is composed of two parts, under the general title Information Technology – Service Management: Part 1 – Specification: The formal specification of the standard. Part 2 – Code of Practice: describes best practices in detail, and provides guidance and recommendations for the Service Management processes within the scope of the formal standard.
20
Need a Coach?
Need a Coach? The company may want to consider using a ISO 20000 consultant: • • • •
To help plan the project Interpret the standard Benefit from their experience Monitor your timeline.
However, properly trained staff will be able to support the organization through the planning and implementation of ISO 20000.
In 2007 EXIN developed a qualification and training program: ISO/IEC 20000 Qualification Scheme for Personnel. This program is designed according to the ISO accreditation standards, so that it can be recognized by the International Accreditation Forum (IAF). The EXIN qualification and training program provides a range of certifications that are explicitly designed to match the ITSM roles mentioned below: •
ISO/IEC 20000 Foundation
•
ISO/IEC 20000 Professional (5 possible certifications)
•
ISO/IEC 20000 IT Service Consultant/Manager
•
ISO/IEC 20000 Senior IT Service Consultant/Manager
•
ISO/IEC 20000 Internal Auditor
•
ISO/IEC 20000 Lead Auditor 21
The current personal certification offers an international recognized qualification scheme in IT service quality management knowledge and understanding.
22
Poorly Written Procedures
Poorly written procedures Procedures will be ignored if they appear too complex and can not be understood. Use user-friendly language and make sure procedures are clear and concise. Why use 10 words when 1 will do? “The items hereinunder referenced in several instances were found to be excessively outside of the minimum parameters required by this standard. Therefore, from immediate effect changes will be implemented and complied with to ensure success”
The following list includes items that did not meet the requirements of the standard and will need to be improved.
ISO does not define the term ‘procedure’ but does require ‘documented and maintained procedures for each process or set of procedures’. The ITIL® version 3 glossary definition of a procedure is: “A procedure is a document containing steps that specify how to achieve an activity. Procedures are defined as part or processes.” So when describing the processes, the procedures should also be described.
23
Poorly Written Procedures (continued)
Poorly written procedures cont.. • • • • • •
Use short sentences starting with a verb. Avoid using the passive voice. Make it clear who is performing the task. Use white space and user friendly fonts, for easy reading. Don’t do too much e.g. work instructions for everything. Don’t overlap or repeat e.g. including a process in more than one work instruction. • Don’t do too little e.g. lack of work instructions where the process affects the quality of the product.
Establish procedures and responsibilities for the creation, review and approval, maintenance, disposal and control of documentation and records. The senior responsible owner should ensure evidence is available for an audit of Service Management policies, plans and procedures. A process for creating and managing documents should be operational. Also protect documentation from damage.
24
Poorly Written Procedures (continued)
Poorly written procedures cont.. It is important that the person who is writing the procedures plays a major role in the process. If procedures are written by someone removed from the process, it will not be successfully implemented. The results will be: • Procedure is unrealistic, not practical • Procedure fails to address key issues for the process
Just as for processes and procedures, few specifically required documents are mentioned in ISO 20000. However, again this does not mean than at organization, having established only the explicitly required documents, will be automatically certified against the standard. They should be able to prove that they have firmly established all the processes required by the standard, whilst also being able to show the necessary documentation for this (not necessarily on paper).
25
Documentation
Documentation Remember: the goal here is consistency for your processes. Question: If two trained employees were to perform this task, would they do it the same way? If the answer is no, a work instruction is needed.
Without well documented work instructions an organization would soon be left with just the knowledge that is stored in the heads of people, and people tend to move to other jobs or forget about things – and what if they do not agree on a specific issue? Standardization would be a hard quest if we were unable to rely on agreed and well-documented instructions.
26
‘Special’ Departments
‘Special’ Departments Are there departments within your organization that have their own rules, require special circumstances or artistic license to complete their tasks? It is possible that you will encounter some resistance to documenting procedures in these areas.
A specific type of evidence required would be records. Records are documents stating results achieved or providing evidence of activities performed.
27
How to Deal With It?
How to deal with it? It is important to demonstrate to these departments that the processes should be consistent. The creativity takes place within the process. Document the procedure to describe the steps that must be followed, but not to prescribe the detail of their job.
Please keep in mind that ISO 20000 should not be a collection of processes, procedures, documents and records, but rather an integrated management system, with interrelating documentation.
28
Steering Teams
Steering Teams It is essential to have decision makers and resource providers situated on the steering team to ensure that decisions can be made quickly and by the right people. The steering team must also: • • • •
Monitor the timeline Remove obstacles Provide resources Coordinate efforts between different groups
The objective of this team will be to ensure all the critical success factors are met: •
Create a sense of urgency
•
Strong coalition at the top
•
Vision and leadership in maintaining strategic direction, clear goals and measurement of goal realization
•
Acceptance of innovation and new ways of working
•
Common understanding of the business, its stakeholders and its environment
•
IT staff understanding the needs of the business
•
The business understanding the potential of IT
29
•
Information and communication available and accessible to everyone who needs it
•
Tracking of technology developments to identify opportunities for the business
•
Creating quick wins, without forgetting about the long term benefits
•
Institutionalizing the organizational changes.
30
Keep the Momentum
Keep the momentum Another issue that organizations face, is loosing the momentum and forgetting about good practice over time. The most common break down is with communication. Employees are left outside the loop and hear less about progress as the project progresses. They become less motivated and uninformed. As the project goes on it is essential that staff are kept informed with progress reports and changes etc.
Communications should have an intended purpose and a clear audience. The audience must have been actively involved in determining the need for that communication and what they will do with the information. Frequency, location and choice of medium for communication should be decided by the individual department and documented in a policy (the choice must serve the goal).
31
Celebrate Progress
Celebrate progress Involve employees and customers by keeping the project visible. Celebrate progress, achievement of goals and successes by: • Get Togethers • Employee/Team/Department Recognition • Regular communications e.g. reports, newsletters, emails etc. • Rewards e.g. financial etc.
Examples of Motivation: •
Show success (examples from other Organizations, departments)
•
Acknowledge weaknesses (with improvement actions)
•
Ownership (Involve people in the change to develop ownership of the outcome)
32
Usual Suspects
Usual suspects The usual suspects for non-conformance can be found are within the following areas: • • • • • •
Design Control Document Control Purchasing Equipment Corrective Action Training
The documentation of the management system and the process documents have an initial assessment. If there are any audit failures, called non conformances, then they will be added to the Corrective Action Plan (CAP). It is required that clients document how they are going to address these CAPs and returns details to the certification body for agreement.
33
Prepare for Audit
Prepare for audit Being prepared for audit can only improve your chances of Success. It will also enable staff to get used to the system and the ‘audit environment.’ To get prepared: • Complete one cycle of internal audits • Complete one management review • Have approximately 3 months of records • Have a minimum of one design project documented end-toend (from start to finish).
Once the service provider has carried out the implementation processes for the QMS and an internal assessment shows that the processes meet the ISO 20000 requirements they are ready for The 7 Step Certification Process: •
Questionnaire
•
Application for Assessment
•
Optional Pre-Audit
•
Initial Audit (Stage 1)
•
Certification Audit (Stage 2)
•
Surveillance Audits
•
Re-Certification Audits
34
Prepare for Audit (continued)
Prepare for audit cont… • Make all employees aware of the audit • Make sure they know what to expect • Inform all relevant parties of the timeframe and content of the audit • Do a pre-check of your departments to identify any uncalibrated equipment and uncontrolled documents etc.
A pre-audit is a high-level evaluation indicating where the company currently stands in compliance with ISO 20000. If an organization is new to ISO audits, this will help educate management and staff on what is about to occur. The auditor will point out any areas of concern. Addressing issues at this point reduced risks of non conformance during the actual audit. This early observation can be immediately implemented into the management system, so findings can be fixed before the official audit commences.
35
Going the Distance
Going the distance Are you fully compliant or just fire fighting? Once implementation is in progress and staff are on board, there are still challenges ahead. Time will tell if you have implemented a fully compliant system or if further improvements need to be made. Examples of problems that can arise are: Problem
Related Issues
The system is too complicated and becomes static
the system may have been built as the ideal system, not a reflection of what is actually done. Employees become confused and lose motivation.
A program of regular surveillance audits is agreed to verify that the requirements of the ISO 20000 standard continue to be met, and again, CAP’s will be raised if appropriate. These surveillance audits are undertaken over a three year cycle to ensure that the management system is working properly. This is performed in addition to the internal audits and to ongoing monitoring and management that are performed internally.
36
Make it Simple
Make it simple If problems arise, don’t be afraid to make changes to the system. If necessary, simplify the procedures. Once they have been used, feedback can be obtained on how well they are working. This feedback can be used to identify specific areas for improvement. Don’t expect the system to be perfect immediately.
Auditing for improvement using Key Performance Indicators is a common method of tracking metrics. Trend analysis can be done by using a ‘Balanced Scorecard’. A Balanced Scorecard contributes to organizational performance management. The goals for organizational performance management should include four perspectives: •
Customer Perspective: Relevant to most processes and particularly to SLM with documented targets.
•
Internal Process Perspective: Include the ISO 20000 processes
•
Learning and Growth Perspective: Staffing, training and investments in software.
•
Financial Perspective: IT Financial Management covers how costs and charges are allocated to the customer organization. 37
Management Review
Management Review If your current Management Review becomes ineffective ask questions to identify were gaps are found e.g. • Evaluate the data that is provided. Is it enough to communicate to Management how the quality system is working? • Is Management assigning action items and following up on them? • Is Management devoting enough time to the Management review?
Targets should be measurable, linked to business objectives and documented in a plan. The review should be actively managed, and progress should be monitored against formally agreed objectives.
38
Internal Audits
Internal Audits If your current Internal Audit becomes ineffective ask questions to identify were gaps are found e.g. • Is Management committed? • Are employees available for the audit? Auditees Auditors • Is it always the same person auditing? It may be time for a change, new people mean new perspectives!
An independent evaluation is needed to assess the performance, and is also required by customers and third parties. The results can be used to update the agreed measures in consultation with the customers, and also for their implementation. The results of the evaluation may suggest changes, in which case an RFC is defined and submitted to the change management process. Unlike self assessments, the same personnel that act in the other sub processes do not undertake audits. This is to ensure that the responsibilities are separated. An internal audit department may undertake audits.
39
Other Tips for Maintaining Success
Other tips for maintaining success Assign responsibilities to a variety of people; don’t assume that the Quality Manager has to be responsible for everything. Use other coordinators for dealing with: • Corrective actions • Training Records • Equipment • Quality Records • Internal Audits.
Share the load. Make sure roles and responsibilities are allocated and aligned with specific tasks.
40
Other Tips for Maintaining Success (continued)
Other tips for maintaining success cont… Use the system that you have built – its not just for show: • Implement corrective actions • Training Records • Emphasize the importance of Corrective action Management Review Internal Audit • Continue Training
The system is not just to obtain ISO 20000 certification. It can provide a basis for real growth and success for the business, if it is used correctly and consistently.
41
Roles & Responsibilities
Roles & Responsibilities • itSMF UK register certification bodies (RCB’s), who grant certification. • Most countries have local certification bodies, that perform certification audits. • Certification bodies are registered with the national accreditation body. • Many national accreditation bodies are registered with the International Accreditation Forum (IAF) • Certificates issued by IAF Multilateral Recognition Arrangement (MLA) assures customers that the certificate is credible. This process of certification and accreditation assures international customers that the process of certification in guaranteed.
For more information on roles and responsibilities, see the Mapping Responsibilities section of this book.
42
Certification Process
Certification Process Once the service provider has carried out the implementation processes for the QMS and an internal assessment shows that the processes meet the ISO 20000 requirements they are ready for The 7 step certification process: 1. 2. 3. 4. 5. 6. 7.
Questionnaire Application for assessment Optional pre-audit Initial audit (stage 1) Certification audit (stage 2) Surveillance audits Re-certification audits
There are numerous benefits to being certified: •
Implementing ISO 20000 improves business process effectiveness and efficiency and saves money.
•
Most companies implementing ISO 2000 certification subsequently report increases in process efficiencies, higher customer satisfaction and improved service quality.
•
Customers are assured that the development and delivery of services complies with globally accepted standards.
Companies should ensure they are pursuing certification for the right reasons:
43
•
To qualify for new customers – more and more corporations see ISO 20000 certification as an essential requirement for conducting business with a new vendor.
•
To enter global markets – ISO 20000 standards are widely recognized.
•
To have better documentation available for numerous purposes.
•
To give the company a competitive edge and show the drive for quality services.
44
Accredited Program Providers
Accredited Program providers There a re-number of factors which can influence the quality of an ISO 20000 program: • • • • • • • •
Quality of the tutors Planning of the course Suitability of the venue Consistency of the program materials with ISO 20000 Experience of the attendees Use of practical oriented examples Assignments Possibilities for group discussions
Examination bodies co-operate closely with their accredited training organizations to monitor the quality of the training provided.
45
After the Certification – What Happens Next?
After the certification – what happens next? Audit Plan [example]
Year 0
Year 1
Year 2
Year 3
Partial
Partial
Pre-audit / internal audit Certification audit
Full
1st
Half surveillance audit 2nd
Half surveillance audit
Partial
Re-certification audit
Partial
Full
You will need to re-certify after 3 years and it is considered good practice to partial audits at least once a year to ensure that the focus stays on process management control and doesn’t slack off. Cost would be similar to ISO 9000 audits. When you choose your registration body cleverly, you might be able to combine the ISO 20000 audit with the ISO 9000 audits and ISO 27001 audits. Annual surveillance audits are required. Internal audits are required by part 1 and the certification scheme (section 4.3). 46
What happens if non-conformance is found? •
If a major non-conformance is found during the initial audit, the auditor will not issue the certificate.
•
If a major non-conformance is found during a surveillance audit, the auditor will require that the non-conformance be rectified.
•
If a minor non-conformance is found, the auditor may require a follow-up audit.
47
ISO/IEC 20000 Certification
ISO/IEC 20000 Certification
Can I be ITIL Certified? Can I Certify my Service Desk? Can I Certify my Product or Service?
Can I Certify my Service Management Processes?
It is important to clarify what can and what cannot be certified. ISO 20000 provides certification of IT Service Management processes. The ISO/IEC 20000 standard has been developed as a standard against which service providers can be certified. A service provider that wishes to express their adherence to quality in IT Service Management can have its IT organization independently certified.
48
Personal Certification
Personal certification Internationally recognized qualification professionals in ISO 2000 is of increasing importance both to organizations and individual professionals. Optimizing professionalism is an important factor of successful IT service improvement programs. Staff commitment for such programs can be boosted by challenging and rewarding employees with internationally recognized certifications.
In order to become ISO 20000 certified, companies should be able to show that they have a quality management system in place and their ITSM processes should be firmly established. The standard is quite succinct when it comes to requirements that personnel involved in providing the services should meet. “It is assumed that the execution of the provisions of this part of ISO 20000 is entrusted to appropriately qualified and competent people”.
49
Qualification Scheme
Qualification Scheme
Earning an independent certificate represents solid evidence of your successful completion of the course requirements. It illustrates your dedication to becoming more competent and valuable to your organization and to the customers you serve.
50
MAPPING RESPONSIBILITIES: U N D E R S TA N D I N G ‘ W H O D O E S W H AT ’ Achieving ISO/IEC 20000 requires roles and responsibilities to be clearly defined. Clarity on ‘who does what’ avoids confusion, variations in processes that ought to be consistent, and inefficiency in delivery of the service. This is particularly important if roles and responsibilities need to change, as they often will when a service provider is aiming for the kind of best practice model specified in ISO/IEC 20000. ISO.IEC 20000 recognizes that each service provider may implement and allocate roles differently. It does not specify how roles and responsibilities should be documented; matrices, in various forms can be used for this.
51
Techniques Matrices can be used to supplement job descriptions and process procedure documentation, see Tables 1-6 for examples. Responsibility matrices provide a compact, concise and easily managed method of tracking who does what in each process and between processes, which is better than a large volume of text. The examples given in Tables 1-6 are used by real service providers, and re tuned to their needs and environments. They are included to illustrate the use of responsibility matrices and are not generic nor are they models for another service provider to adopt. Specific examples of responsibility matrices are also available in best practice material, such as that found in ITIL® The examples included are samples from the service level management and service reporting processes. In the example shown the service review is used to describe the customer’s future business plans and needs and the current operational service. Each entry could be broken down further to lower levels of detail in a logical hierarchy to map onto a procedure or even to clarify responsibilities at work instruction level. Matrices such as those in Tables 2-6 will help a service provider meet the ISO/IEC 20000 requirements for competence, awareness and training.
52
Table 1: Key to abbreviations for Tables 2- 4 Abbreviation
Role
Description
BRM
Business Relationship
Person responsible for
Manager
the relationship with the business. Has overall responsibility for the relationship with the customer and for customer satisfaction.
IM
Incident Manager
Person responsible for the effectiveness of the incident management process.
OM
Operational Manager
Person responsible for managing delivery of a service team. Has line management responsibility for staff delivering that service.
SLR
Service Level Reporting
People documenting
team
service level achievement and explanation of exceptions.
53
Table 1: Key to abbreviations for Tables 2- 4 (continued) What?... states what needs to be achieved When?… explains when the particular process/procedure must be followed Why?... explains why the practice exists and how it has been developed How?... explains how the practice is achieved Who?... tells which members of the team are responsible
54
Table 2: Service Review Meetings What
When
Why
How
Who
Customer:
As
a) Ensure service
Define agenda,
BRM
Hold meetings,
appropriate,
level agreement
dates,
OM
document
but within
(SLA) reflects
participants
appropriately,
published
customer needs
monitor and
schedule
b) Ensure agreed
own actions
services are met c) Provide audit trail of issues / actions
Internal: Hold
As
a) Ensure SLA
Define agenda,
BRM
meetings,
appropriate
reflects customer
dates,
OM
document
but within
needs
participants
appropriately,
published
b) Ensure agreed
monitor and
schedule
services are met
own actions
c) Provide audit trail of issues / actions d) Encourage participation / team work e) Understand customer’s business plans f) Incorporate internal planning
55
Table 3: Service Level Reporting What
When
Why
How
Who
Design and
Start of
In order to ensure
Review
SLR
content
responsibility /
that report is
report and
OM
awareness
SLA changes
accurately measuring
cross-
SLAs
referenced with SLA
Production
As per contract
To ensure that data
Review
SLR
contained within
report
OM
report is accurate and complete Verification
After production
To ensure that data
Review
SLR
of report
contained within
report
OM
To provide customer
Electronic
SLR
with SLA
and / or
IM
measurement
paper bound
information
report
report is accurate and complete Delivery
As per SLA
distributed
56
BRM
Table 4: Incident and Internal Reports Incident Report What
When
Why
How
Who
Production
Upon request of
To detail impact,
Standard
IM
BRM / customer
and to action
format on
OM
/ IM or as
prevention of
incident report
detailed within
recurrence
database
Within 5
To cascade
Electronic /
IM
working days of
information to
paper bound
BRM
incident or as
customer and
report
detailed within
internal support
distributed.
SLA
teams
Review
SLA Delivery
content with BRM prior to distribution Sign-Off
As timetabled in
To ensure that
Review status
the incident
planned actions are
with OMs until
report
carried out by the
all actions
business
closed
57
IM
Internal Report (for Delivery Team) What
When
Why
How
Who
Production
Within agreed
Inform line
Commercial
BRM
timescales
manager on service
internal report
Team
and financial status
template
Leaders
58
RACI Matrices Matrices that identify who is accountable, responsible, consulted or informed (ARCI) are also useful. These are generally referred to as RACI matrices. Differences in RACI Roles The differences in roles are normally based on guidelines such as: •
•
•
•
Accountable (i.e. the buck stops here): o
Person with YES/NO authority, sign-off, approval, veto
o
Should be no more than ‘one per row’
Responsible (i.e. the doer): o
Takes initiative to accomplish a task/function/decision
o
Develops alternatives
o
Consults and informs others
Consulted (i.e. kept in the loop): o
Asked for input prior to decision/action
o
Part of two-way communication
o
Can be initiated or solicited
Informed (i.e. keep in the picture): o
Told about a decision/action usually after the fact
o
Permission is not sought from this person
o
One-way communication
o
May be prior to going public to a wide audience 59
The accountable, responsible, consulted and informed states can be mapped against each process or sub-process, and used in conjunction with a process map or a procedure. Documenting roles and responsibilities this way reduces some of the ambiguity that can arise from a purely text-based description. Table 5 given an example matrix for the change management process. A lower level of detail may be useful for each of the tasks shown in the matrix in Table 5. An example of a lower level is given in Table 6 for task number four: ‘Build, test and implement change’.
60
Table 5: ARCI Matrix Example (Level 1)
Task
Accountable
Responsible
Consulted
Informed
1. Log request
Change Initiator
Change Initiator
2.
Change
Change
Configuration
Categorization
Manager
Manager
Manager
3. Assess,
Change
Change
Configuration
appraise and
Manager
Manager
Manager
4. Build, test
Implementation
Implementation
Change
Configuration
and implement
Manager
Manager
Manager
Manager
5. Verify and
Change
Change
Configuration
close
Manager
Manager
Manager
for change (RFC)
RFC
schedule RFC
change
61
Table 6: ARCI Matrix Example (Level 2) Task
Accountable
Responsible
Consulted
Informed
4.1 Build
Development
Development
Change
Configuration
change
Manager
Manager
Manager
Manager
4.2 Test change
Test Manager
Test Manager
Change
Configuration
Manager
Manager
4.3 Implement
Operations
Operations
Change
Configuration
change
Manager
Manager
Manager
Manager
62
TIPS FOR SUCCESSFUL ISO/IEC 2 0 0 0 0 C E RT I F I C AT I O N S U M M A RY Executive and top management have to support the initiative As personnel and financial resources are under constant pressure to succeed with such an extensive project while taking care of daily business. Motivate and successfully engage the staff All involved employees have to embrace the certification as their own personal goal. Management needs to motivate employees and position them properly according to their skills. However, it also requires the commitment to replace objectors and naysayers if necessary. Conduct risk analyses upfront It is important to estimate upfront what challenges may occur and what measures can be taken to quickly address them if necessary. Make processes operational The project leaders have to understand from the beginning how to implement the newly defined or improved processes and which measures are necessary to do so. Also the selection of the right IT service management software plays an important role.
63
The certification is only the first step A service initiative does not end with the certification–it starts with it! The ISO 20000 certification is an investment in the future of the company, which will result in increased quality and customer satisfaction. To achieve this, the goals must be continuously pushed forward and routinely checked even after successful certification.
64
I S O / I E C 2 0 0 0 0 F R E Q U E N T LY ASKED QUESTIONS What is ISO/IEC 20000? ISO/IEC 20000 is the International Standard for IT Service Management. This is based on the British Standard, BS15000, with minor but not significant changes. ISO/IEC 20000 was published in mid December 2005. ISO/IEC 20000 provides a recognized accreditation against which an organization can demonstrate to their customers that it’s IT Service Management processes represent best practice. The certification scheme for BS15000 run by itSMF has been updated to become the scheme for ISO/IEC 20000. What are the benefits of ISO/IEC 20000 certification? Development an ISO/IEC 20000 standard compliant IT service organization will take time and will often lead to some organizational change. However, the benefits of having a proven, conformant best practice IT service provision is: •
A more competitive business
•
Aligned IS/IT strategy with the overall business strategy
•
Managed and reduced risk 65
•
Tangible cost savings
•
More effective supplier management
•
Market leverage and competitive advantage (through the status of compliance / certification)
•
Improved reputation and greater consistency and interoperability
•
Faster time to implement change
•
Improved reliability and availability of service, leading to improved customer satisfaction
•
Suppliers and partners will become more integrated and service focused
•
Possibility of benchmarking with other organization
Who is ISO/IEC 20000 for and why should I be interested? All businesses large and small will be interested in ISO/IEC 20000, as it is the recognised means of benchmarking the delivery of IT to the business. It is sector independent, and relevant to both public and private sector organizations. The main parties that may take specific interest in ISO/IEC 20000 are providers of IT service management services, businesses outsourcing their IT services, businesses managing their own IT services and all providers wishing to benchmark their existing IT service management services.
66
Certification to ISO/IEC 20000 through the itSMF scheme provides an independent, industry-wide recognition of an organisation’s IT Service Management capabilities, and there is already evidence that certification is becoming a requirement in tenders etc. Why are Standards important? In terms of IT Service Management, an ever-increasing demand to improve services through the use of emerging technologies and to transact business nationally and internationally, standards provide a common and consistent platform for organisations to work from. For example, one of its uses is to allow existing providers to benchmark their IT service management. How is certification achieved? The process is similar to that used by other ISO standards, such as ISO 9001 and ISO 27001. It requires adoption of the requirements of the standard, and demonstration of adherence via audit by a third party, which is known as a certification body. An assessment can be carried out by external auditors from a recognized certification body to provide you with a conformance report and, if successful, a certificate for your organization.
67
Who are the certification bodies? There are a growing number of accredited certification bodies. Examples include BSI, Certification Europe Ltd, DNV, DQS, Japan Quality Assurance Organization, LRQA, SGS, STQC and TUV. How long will it take to become ISO/IEC 20000 certified, and how much will it cost? Every organisation is different so there can be no single answer. Your existing level of maturity in service management, the scope of the audit, the size of your company, the resources that can be dedicated to the certification programme will all impact on the time to gain ISO/IEC 20000. For this reason, it is always recommended that organisations undertake an assessment of their current compliance before decided on an accreditation plan. This produces a realistic and achievable approach which maximises the change of early success. For more information, contact one of the Registered Certification Bodies who will usually arrange for a quotation following initial discussions. The reality is that a formal audit is usually a very small proportion of the total cost that an organisation will incur in implementing a service improvement programme.
68
How is conformance with ISO/IEC 20000 demonstrated? Conformance can be demonstrated in various ways, both internally and externally. Internal reviews can be used to assess on a more details level whether the current IT Service Management processes conform to the standard and establish areas for improvement. These reviews might be part of an existing Continuous Service Improvement Program. External reviews tend to be less details but are likely to be seen as a more objective and so carry greater weight that internal ones since they are both impartial and independent. If a Registered Certification Body (RCB, commonly known as an external auditor) conducts the external review and you meet the certification criteria, your organization can become certificated as part of the scheme. You can then display the ISO/IEC 20000 certification logo. This demonstrates that you have been independently assessed as having adequate controls and procedures in place and that you are able to consistently deliver a quality of service. There is a list of accredited RCBs on at www.bs15000certification.com.
69
What is BS15000? BS15000 is the British Standard for IT Service Management. As of midDecember 2005, this was replaced by the international standard, ISO/IEC 20000. I have BS15000 consultant/auditor qualification. What happens to that? BS15000 and ISO/IEC 20000 only have minor differences so your current qualification will be equally useful in supporting organizations with certification for ISO/IEC 20000. You now need to understand the differences between the two standards. BSI has published a booklet to accompany ISO/IEC 20000 that details the exact changes between the two standards. See www.bsi-global.com. Full details are posted on www.bs15000certification.com. I have been working to achieve BS15000. Is this a wasted effort? Because ISO/IEC 20000 is so similar to BS15000, any preparation activities previously made for BS15000 will be equally valid for ISO/IEC 20000. There are 16 changes to requirements in ISO/IEC 20000, all of which are minor.
70
How does the transition between BS15000 to ISO/IEC 20000 certification work? The certification body, itSMF, has issued guidance on the transition which can be found on www.bs15000certification.com. I already have ISO 9000 certification. Why do I need ISO/IEC 20000? ISO 9000 is applied and used by all organisations in different sectors and industries and whilst it has certain attributes and benefits that are valuable to your existing commercial relationship, you should consider whether you wish to have a specific certification for the IT Service Management (ITSM) component of your business. ISO 9000 addresses all working practices in a business, without concentrating specifically on IT Service Management processes (although they may be included at a detailed level). ISO/IEC 20000 is a focused specification for IT service management, its terminology is that of IT service management and all types of assessment will need to be carried out by competent auditors in order to provide you with an assessment report and a certificate if successful, which will be totally aligned with your IT service management business.
71
ISO/IEC 20000 addresses only the IT Service Management processes, and the supporting Management System. Adoption of ISO/IEC 20000 is therefore relevant to those organisations which specifically wish to target their IT Service Management processes, and is not directly related to the adoption or continuance of ISO 9000. There is however some areas of overlap between the standards. Should the principal purpose of your business be ITSM, then ISO/IEC 20000 is virtually essential. Is an existing ISO 9001 certification of benefit? Yes. An existing ISO 9001 Certification indicates that the knowledge and processes of a structured QMS are already accepted and in use. It should quicken the process, and provides the opportunity for both certifications to be assessed together. Which other frameworks can be used with ISO 20000? Whilst ITIL is the most common and most closely aligned, it is by no means mandatory to use it. Other potential frameworks/methods include MOF, COBIT and Six Sigma.
72
As a business seeking ISO/IEC 20000 certification, what external help is available? There are a number of organizations that have qualified consultants who can advise on the appropriate course of action required. In addition, many RCBs will offer pre-audit evaluations to help the organisation understand its current status. In addition, BSI has produced a series of books to assist with understanding different aspects of a full service management solution. Contact us for further information. As an ITIL Service Management Consultant with an interest in ISO/IEC 20000, how can I help my clients? Your consultants should become qualified in ISO/IEC 20000. See the Qualification Scheme on the following page.
73
I believe there are many quality standards available. How do they compare and overlap? There are many Quality Standards, frameworks and methods available and being unsure which one to examine or implement is understandable. You may have heard of MOF, CoBIT, CMM, TickIT, ISO 9000, ISO27001, EFQM, Six Sigma, Balanced Scorecard and SarbannesOxley. Most are not Standards in the strict sense, but simply tools to help organisations operate more efficiently and effectively. It is important to understand the scope and purpose of each one, and then to match this to what you are trying to achieve in your organization.
74
ISO/IEC 20000 is unique in that it mirrors ITIL Service Management principles. ISO/IEC 20000 will be readily understood by anyone with ITIL qualifications. MOF, for instance, a branded product, openly states that it utilises ITIL principles, but also concentrates on the use of Microsoft® products in its implementation. TickIT works in conjunction with ISO 9000 and focuses on application development and project management. CoBIT focuses on corporate governance and can be used with ITIL. Six Sigma is a process improvement tool but is not specific to ITSM and can be used with ITIL. CMM is a maturity measure for primarily application development and project management processes. Most quality systems, by their very nature, will overlap with each other. The most common overlap will be in the areas of quality management, training, documentation audit and conformance. A significant point in the adoption of or conversion to another standard is to avoid discarding any process, procedure or documentation without serious examination.
75
In what ways will ISO/IEC 20000 help me? As well as the potential external marketing and commercial benefits, it provides a recognised and tried and tested management system which allows an IT service organisation to plan, manage, deliver, monitor, report, review and improve its services. It not only looks at operational aspects but also focuses on the business controls covering associated risks, finances, resources and capabilities, providing a proper infrastructure to enable a traditional Plan, Do, Check, Act (PDCA) cycle to be implemented and managed. Our IT is distributed around the UK (and even overseas). Can sites be certified separately? The scoping statement will be agreed with the Registered Certification Body carrying out the assessment and may restrict the scope of the audit and certification to certain services, geographies, locations etc. It is not mandatory for all of an organisation to be certified. This makes it essential for customers seeking an organisation which is ISO/IEC 20000 certified to ask to see the scoping statement to ensure the services they require are actually covered. We do not have all the processes in place. Can we become partcertified? The simple answer is NO.
76
All of the ISO/IEC 20000 requirements have to be in place at an appropriate level. It is not permitted to exclude parts of the standard by, for example, declining to carry out one or more of the processes. Some processes may be outsourced, but they must be performed and the organisation being audited must demonstrate effective management control of those processes, including the interfaces with other, internal service management processes. What Are the Benefits of ISO/IEC 20000 Certification? Primarily, the organisation will become more competitive, reducing the risk, cost and time to market new products and services, whilst improving value for money and service quality. They will be able to manage suppliers more effectively. Service providers will become more responsive, with services which are business-led rather than technology-driven. Your IT service is more likely be chosen, or renewed over that of a competitor that does not demonstrate ISO/IEC 20000 certification, providing both a competitive edge and demonstrating a visible commitment to managing the provision of IT services. It will provide enablers to visibly support the business strategy, with opportunities to improve the efficiency of services in all areas, impacting on costs and service.
77
An operational benefit is to clearly demonstrate service reliability and consistency, which in any environment is critical to business survival and potential growth. Certification audits are continual and should be treated as a mechanism for educating and raising awareness of employees. Certification can also reduce the amount of supplier audits thereby reducing costs. Finally, the use of qualified and independent auditors can be used as a benchmark. What are the origins of ISO/IEC 20000? ISO/IEC 20000 was adopted as an International standard from the original British Standard (BS 15000). There were minor changes during the internationalisation, mainly to do with formatting and clarity. There were few substantive changes to requirements. The edition of BS15000 (BS 15000-1:2002 & BS 15000-2:2003) that was submitted to ISO was actually the second edition and replaced an earlier version released in 2000 called BS15000:2000. The second edition came about as a result of experience and feedback from early adopters of the 2000 edition. The original standard was based on a Code of Practice for IT Service Management – DISC PD 0005:1998. 78
The technical panel which produced BS15000 included representation from the British Computer Society (BCS), the Office of Government Commerce (OGC) and the IT Service Management Forum (itSMF) as well as from IT organisations and technical experts. BS 15000 was aligned with ITIL, best practice guidance and advice first published by the UK government in the 1980s. Today, ITIL is the globally accepted ‘de facto’ standard for best practice processes in ITSM. ITIL was a major contributor to the development of ISO/IEC 20000, in that its major processes have been adopted entirely, and augmented by a few key management processes. What is ITIL? ITIL provides ‘proven’ best practices in IT Service Management (ITSM), derived from public and private sector experts world-wide. Currently, the core publications in ITIL are Service Support; Service Delivery; ICT Infrastructure Management; Application Management; Security Management; Planning to Implement Service Management; and The Business Perspective (of ITSM). The processes defined in these publications also formed the core processes in BS 15000 (and hence ISO/IEC 20000)
79
Isn’t ITIL Best Practice? Yes it is. ISO/IEC 20000 incorporates all the ITIL Service Support and Service Delivery processes but goes further by separating out Service Reporting and introducing three new processes covering Business Relationship Management, Supplier Management and Information Security Management. Additionally there are three management system processes. ITIL is best practice guidance but it is not possible to be accredited as a company against ITIL. The standard is a specification which provides the company level accreditation to demonstrate the consistent use of best practice. ISO/IEC 20000 does not mandate the use of ITIL. However, demonstrating best practice in IT Service Management is of course far easier if it is underpinned by the use of ITIL. Will ISO/IEC 20000 be readily understood by anyone with ITIL qualifications? ISO/IEC 20000 and ITIL share common terminology so the short answer is yes. Remember that conformance is also based on demonstrating appropriate training and skills to deliver the services being accredited so ITIL training should form a significant part of your Best Practice program.
80
What is the benefit of the logo? Whilst it is possible to seek an opinion from anyone as to whether you meet the standard, only Certificates of Compliance which bear the ISO/IEC 20000 logo confirm that the Certification Body which issued the Certificate is one which has been registered as complying with the stringent requirements of the itSMF ISO/IEC 20000 Certification Scheme. Organisations which have a current Certificate of Compliance bearing the itSMF logo are also permitted to display the logo on their stationery, etc. subject to certain terms and conditions. In this way the organisation can demonstrate their compliance with the standard to a wide audience. Why should I seek certification through the itSMF managed scheme? itSMF are the owners and managers of the ISO/IEC 20000 certification scheme. itSMF is generally accepted as the leading body of expertise for Service Management. Becoming certified against ISO/IEC 20000 implies that you have been formally recognised in achieving a rigorous standard in IT Service Management by the organisation which is at the forefront of IT Service Management quality initiatives.
81
Our IT is distributed internationally. Can sites be certified separately? Yes. Eligibility is based on demonstrating management control of all processes within the ISO/IEC 20000 standard relative to the scope of certification. A certification may be scoped by specific sites, departments, or by IT services irrespective of location. Are customers already asking for ISO/IEC 20000 and BS15000 in tender documents? Yes. There are a number of customers asking for statements of supplier conformance, accreditation plans and quality management policies: some are quoting ISO/IEC 20000 or BS15000 specifically as the service requirement. It is likely that this movement will grow and, quite simply, if a prospective supplier cannot demonstrate such conformance, they may not be considered during a tendering exercise. Even if a customer doesn’t ask for certification, your service is more likely to be chosen over that of a competitor who does not demonstrate ISO/IEC 2000 or BS15000 certification, providing competitive advantage.
82
TERMS AND DEFINITIONS A S S O C I AT E D W I T H I S O 2 0 0 0 0 Term
Definition
Accreditation Body
Assess organizations that provide certification, testing, and inspection and calibration services. Accreditation by an accreditation body demonstrated competence, impartiality and performance capability of an organization that does audits. Ensures a consistent approach.
Accredited Certification Body
Organization that performs certification audits, commonly referred to as ‘professional audit companies’ and which has been accredited by an accreditation body.
Availability
Ability of a component or service to perform its required function as a stated instant or over a stated period of time. Note: Availability is usually expressed as a ratio of the time that the service is actually available for use by the business to the agreed service hours.
83
Term
Definition
Baseline
Snapshot of the state of a service is actually available for use by the business to the agreed service hours.
Certification
Procedure by which a 3rd party gives written assurance that a product, process or service conforms to specified requirements. ISO/IEC 20000 certification means meeting the specified requirements following an independent audit by an accredited certification body.
Change record
Record containing details of which configuration items are affected and how they are affected by the authorized change.
Code of Practice
A standard that recommends ‘good, accepted practice as followed by competent practitioners’. Recommendations in a code of practice use the auxiliary ‘should’. A code of practice will not contain the verb form ‘shall’.
84
Term
Definition
Compliance
Meeting the requirements in ISO/IEC 20000 (or another national or international standard), as assessed by an internal audit or an organization that is not an accredited certification body or qualified to carry out ISO/IEC 20000 certification audits. Compliance includes ‘Self-certification audits’.
Configuration Items (CI)
Component of an infrastructure or an item which is, or will be, under the control of configuration management. Note: configuration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module or a minor hardware component.
Configuration Management Database
Database containing all the relevant
(CMDB)
details of each configuration item and details of the important relationships between them.
85
Term
Definition
Document
Information and its supporting medium. Note 1: In this standard, records are distinguished from documents by the fact that they function as evidence of activities, rather than evidence of intentions Note 2: Examples of documents include policy statements, plans, procedures, service level agreements and contracts.
Incident
Any event which is not part of the standard operation of a service and which causes or may cause an interruption to , or a reduction in, the quality of that service.
Normative
Indicating compulsory provisions in a standard (as opposed to informative provisions which are purely there for information).
86
Term
Definition
Problem
Unknown underlying cause of one or more incidents.
Record
Document stating results achieved or providing evidence of activities performed. Note 1: In this standard, records are distinguished from documents by the fact that they function as evidence of activities rather than evidence of intentions. Note 2: Examples of records include audit reports, requests for change, incident reports, individual training records and invoices sent to customers.
Release
Collection of new and/or changed configuration items which are tested and introduced into the live environment together.
Request for change
Form or screen used to record details of a request for change to any configuration item within a service or infrastructure. 87
Term
Definition
Service Desk
Customer facing support group who do a high proportion of the total support work.
Service Level Agreement (SLA)
Written agreement between a service provider and a customer that documents services and agreed service levels.
Service Management
Management of services to meet the business requirements.
Service Provider
The organization aiming to achieve ISO 20000.
Shall
Verb forms that identifies a recommendation, i.e. the guidance provisions in ISO/IEC 20000. This is used extensively in ISO/IEC 20000. In ISO/IEC 20000 the word ‘should’ occurs only in the Notes, as these represent explanations similar to the advice in ISO/IEC 20000.
88
Term
Definition
Specification
A standard that sets out ‘detailed requirements’, using the prescriptive ‘shall’, to be satisfied by a product, material process or system. In ISO/IEC 20000 the verbs shall (and should) refer to aspects of the management processes, also including policy, procedures, plans and objectives.
89
L I S T O F A C R O N Y M S A S S O C I AT E D WITH
ISO 20000
ACP
Accredited Course Provider
ANSI
American National Standards Institute
AS
Australian Standard
BPM
Business Process Modeling
BS
British Standard
BSC
Balanced Scorecard
BSI
British Standard Institution
CAB
Change Advisory Board
CAP
Corrective Action Plan
CCTA
Central Computer and Telecommunications Agency (British Government, now OGC)
CEO
Chief Executive officer
CFIA
Component Failure Impact Analysis
CIO
Chief Information Officer
CI
Configuration Item
CISM
Certified Information Security Manager
CMDB
Configuration Management Database
90
CMM
Capability Maturity Model
CMMI
Capability Maturity Model Integration
COBIT
Control Objectives for IT
CPD
Continual Professional Development
CRAMM
CCTA Risk Analysis and Management Method
CSI
Continual Service Improvement
CSF
Critical Success Factor
CSS
Customer Satisfaction Surveys
DML
Definitive Media Library
DSL
Definitive Software Library
EA
European cooperation for Accreditation
EFQM
European Foundation for Quality Management
ENAC
Entidad Nacional de Acreditacion (Spain)
ESP
External Service Provider
FISM
Fellow of the Institute of Service Management
FSC
Forward Schedule of Change
FTA
Fault Tree Analysis
IAF
International Accreditation Forum, Inc.
IRCA
International Register of Certificated Auditors
IS
Information System 91
IEC
International Electrotechnical Commission
ISACA
Informational Systems Audit and Control Association
ISO
International Organization for Standardization
ISM
Institute of Service Management
ISMS
Institute of Security Management System
IT
Information Technology
ITIL
Information Technology Infrastructure Library
ITOCO
Input-Throughput-Output-Control-Outcome
ITSM
IT Service Management
ITSCM
IT Service Continuity Management
itSMF
IT Service Management Forum
ITT
Invitation to Tender
JAB
The Japan Accreditation Board for Conformity Assessment
JQA
Japanese Quality Association
KPI
Key Performance Indicator
MI
Management Information
MISM
Member of the Institute of Service Management
MLA
Multilateral Recognition Arrangement
MOF
Microsoft Office Framework
92
MTRS
Mean Time to Restore Services
NAB
National Accreditation Body
OGC
Office of Government Commerce
OLA
Operational Level Agreement
OSS
Operational Support System
PDCA
Plan-Do-Check-Act
PIR
Post Implementation Review
PRINCE2
Projects In Controlled
QMS
Quality Management System
RAID
Risks, Assumptions, Issues, Dependencies
RCB
Registered Certification Body
RfC
Request for Change
RfP
Request for Proposal
ROI
Return on Investment
RvA
Raad voor Accreditaire (Netherlands)
SANS Institute
SysAdmin, Audit, Network, Security Institute
SEI
Software Engineering Institute
SIP
Service Improvement Plan
SLA
Service Level Management
SLM
Service Level Management 93
SOA
Service Outage Analysis
SOX
Sarbanes-Oxley Act
SPOF
Single Points of Failure
SQM
Service Quality Management
TGA
German Association for Accreditation
TOP
Technical Observation Post
TQM
Total Quality Management
UC
Underpinning Contract
UKAS
The United Kingdom Accreditation Service
94
FURTHER READING For more information on other products available from The Art of Service, you can visit our website: http://www.theartofservice.com If you found this guide helpful, you can find more publications from The Art of Service at: http://www.amazon.com
95