ISO 27001 consultants, ISO 20000 consultants - IT Service Management System

Introduction

ISO 20000 is the first international standard for Information Technology Service Management and is fully compatible and supportive of the ITIL (IT Infrastructure Library) framework. ISO/IEC 20000-1:2011 specifies four key service management processes broken into 13 IT processes (See reference diagram below), as follows:

Service Delivery Processes – includes Service Level Management, Availability Management, and Capacity Management
Relationship Processes – involves interfaces between the service provider and customers and suppliers
Resolution Processes – focuses on incidents being resolved or prevented
Control Processes – involves managing changes, assets, and configurations

ISO/IEC 20000-1 requires all processes to be implemented without exception.

The standard specifies a number of closely related service management processes that help organizations;

Identify that relationships exist between these processes, and that these relationships will be dependent on their application within an organization
Provides guideline objectives and controls to enable an organization to deliver managed services
Provides control, greater efficiency, and opportunities for improvement
Turns technology focused departments into service focused departments
Ensures IT services are aligned with and satisfy business needs
Improves system reliability and availability
Provides a basis for service level agreements
Provides the ability to measure IT service quality

High Level breakdown of ISO/IEC 20000-1:2005

History of the standard

The U.K. government launched the IT Infrastructure Library (ITIL) in 1989
ITIL defines “best practice” processes and procedures
ITSMF formed in 1991 to further develop best practice
ITSMF approaches BSI to develop a standard
BS 15000 first published in 2000 as a specification
BS 15000 revised in 2002
ISO/IEC 20000 released in 2005
ISO/IEC TR 20000-3:2009 Guidance on Scope Definition and applicability released in 2009 (TR – Technical Report)
ISO/IEC TR 20000-4:2010 Process Reference Model released in 2010 (TR – Technical Report)
ISO/IEC TR 20000-5:20101 Exemplar implementation plan for ISO/IEC 20000-1 released in 2010 (TR – Technical Report)
ITSMF ISO/IEC20000 Scheme transferred to APMG 2010
ISO 20000-1:2011 published April 2011

Overview

ISO 20000 Series of Standards

ISO/IEC 20000-1:2011 Service Management System Requirements

ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements. ISO/IEC 20000-1:2011 can be used by:

an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;
an organization that requires a consistent approach by all its service providers, including those in a supply chain;
a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfill service requirements;
a service provider to monitor, measure and review its service management processes and services;
a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;
an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.

ISO/IEC 20000-1:2011 promotes the adoption of an integrated process approach to effectively deliver managed services to meet business and customer requirements. For an organization to function effectively it has to identify and manage numerous linked activities. Co-ordinated integration and implementation of the service management processes provides ongoing control, greater efficiency and opportunities for continual improvement.

The ISO/IEC 20000 series draws a distinction between the best practices of processes, which are independent of organizational form or size and organizational names and structures. The ISO/IEC 20000 series applies to both large and small service providers, and the requirements for best practice service management processes are independent of the service provider's organizational form. These service management processes deliver the best possible service to meet a customer's business needs within agreed resource levels, i.e. service that is professional, cost-effective and with risks which are understood and managed.

ISO/IEC 20000-2:2005 Code of Practice

ISO/IEC 20000-2:2005 represents an industry consensus on guidance to auditors and offers assistance to service providers planning service improvements or to be audited against ISO/IEC 20000-1. ISO/IEC 20000-2:2005 is based on BS 15000-2, which has been superseded.

The variety of terms used for the same process, and between processes and functional groups (and job titles) can make the subject of service management confusing to the new manager. Understanding the terminology is a tangible and significant benefit from ISO/IEC 20000.

ISO/IEC TR 20000-3:2009 – Technical Report Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1

ISO/IEC TR 20000-3:2009 provides guidance on scope definition, applicability and demonstration of conformance for service providers aiming to meet the requirements of ISO/IEC 20000-1, or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It can also assist service providers who are considering using ISO/IEC 20000-1 for implementing a service management system (SMS) and who need specific advice on whether ISO/IEC 20000-1 is applicable to their circumstances and how to define the scope of their SMS.

ISO/IEC TR 20000-3:2009 supplements the advice in ISO/IEC 20000-2, which provides generic guidelines for implementing an SMS in accordance with ISO/IEC 20000-1.

ISO/IEC TR 20000-4:2010 – Technical Report Part 4: Process reference model

The purpose of ISO/IEC TR 20000-4:2010 is to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability.

The process reference model provided in ISO/IEC TR 20000-4:2010 is a logical representation of the elements of the processes within service management that can be performed at a basic level. Using the reference model in a practical application might require additional elements suited to the environment and circumstances.

The process reference model does not provide the evidence required by ISO/IEC 20000-1. The process reference model does not specify the interfaces between the processes.

ISO/IEC TR 20000-5:2010 Exemplar implementation plan for ISO/IEC 20000-1

ISO/IEC TR 20000-5:2010 is an exemplar implementation plan providing guidance to service providers on how to implement a service management system to fulfil the requirements of ISO/IEC 20000-1 or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It could also be useful for those advising service providers on how to best achieve the requirements of ISO/IEC 20000-1.

ISO/IEC TR 20000-5:2010 includes advice for service providers on a suitable order in which to plan and implement improvements. It is suggested that a generic three-phase approach is used to implement a service management system. The phased approach provides a structured framework to prioritize and manage the implementation activities.

ISO/IEC TR 20000-5:2010 is for guidance only. The service provider has the option of choosing their own implementation sequence to implement a service management system.

Global adoption

ISO/IEC 20000 is currently being adopted worldwide. Organizations have realized that an organizational certification is proof that best practices are in place and that a continual improvement program and internal audits/assessments support the implementation. This is also verified by the certification body performing annual surveillance audits.

The advent of ITIL implementations has secured ISO 20000 position as the premier ITSM (IT Service Management) certification for organizations. Prior to ISO 20000, organizations were at the mercy of ITIL practitioners to implement ITIL services that could not be certified. ISO 20000 now provides organizations with a proven ability to audit implementation and accredit (certify) their implementation based on an agreed scope. ISO 20000 also helped organizations understand and conduct risk assessments which improved organization performance and understanding.

Currently there is no ISO published survey results for ISO 20000 implementations. Suffice to say, the United States is seeing Federal requirements, requesting proven certification for new or renewed IT contracts.

Benefits

Provides a way to align information technology services with business strategies.
Creation of a formal framework service management and service improvement.
Provides KPI measurement criteria.
Creates competitive advantage via the promotion of consistent and cost-effective services.
Changes an IT driven culture into a business driven culture.
Provides management a clear view of inter-dependencies across IT and the ISO 20000 processes.
Promotes risk assessment and risk management.
Enhanced reputation and perception for using best practices.
IT becomes pro-active rather than re-active.
Improved understanding and relationships between IT and the business/customers.
Creation of a stable framework for both resource training and service management automation.

Auditing

The ISO/IEC 20000 Standard require a two stage auditing methodology in that the organisation is required to carry out internal audits as well as having the discipline of external auditors from the certifying body carry out their own audits.

Internal Audits

Staff from your organisation can be trained to carry out audits through formal courses which are often 3-5 days in length or they can be trained in-house with the use of ‘mentors’ who will guide them through the training process. Whichever route is chosen, the external auditor will be ensuring the internal audits are carried out in a competent manner. Staff will not be able to carry out audits on their own work so a minimum of two internal auditors should be planned. Staff will often volunteer to be an internal auditor for various reasons but being inquisitive about how the rest of the Company operates, can be high on the list. It is often better to have a motivated volunteer than someone who has been detailed to be an internal auditor. In some cases, consultants can be employed to carry out these audits but the cost, long term, can be high. The internal audits will need to be carried out on the full ITSM Management System. However, depending on the importance of certain areas, or the weakness of certain processes, this can be varied to suit. The internal audit process should ensure that the organisation is working to established processes and to ensure that any improvements are noted and captured within the management system. Non conformances can be a useful source of continual improvement, not a cause for starting the ‘blame game’.

External Audits

These will be carried out by the certifying body who will provide auditors experienced in the area that your organisation is working in. External auditors in the ITSM field will be expected to have significant relevant experience ref ISO/IEC 17021:2006 Conformity assessment — Requirements for bodies providing audit and certification of management systems. The better certifying bodies will expect their auditors to be on the International Register of Certified Auditors (IRCA) or RABQSA equivalent.

📶📶📶 Contact us to register for ISO 27001 Training, Consulting and Certification services according

Customers, organizations and enterprises require Training, Consulting or Certification services of Information Security Management System ISO 27001: 2013, please click on "Registration - Quotation" or on the right toolbar below the PC screen to receive a quotation for training, consulting and certification services.

📶📶📶 Further information, Please contact us as below:

🌐 VINTECOM International Office in Ha Noi City: 16th Floor - Green Stars City, 234 Pham Van Dong, Bac Tu Liem District, Ha Noi City. Hotline 094-886-5288/ (024) 730-588-58

🌐 VINTECOM International Office in Ho Chi Minh City: Golden City House - 182 Ha Huy Giap, 12 District, Ho Chi Minh City. Hotline 0938-083-998/ (028) 7300-7588