ISO 20k GAQM p024-033

Questions and Answers

Which analysis focuses on both internal and external factors affecting an organization?

• Internal Issues Tracker
• PESTLE analysis
• SWOT analysis (correct)
• Risk Register

An organization is developing strategies to address new environmental regulations. Which component of the PESTLE analysis is MOST relevant?

• Technological
• Environmental (correct)
• Social
• Economical

Which of the following is NOT typically included as a direct element of a SWOT analysis?

• Ethical Considerations (correct)
• Weaknesses
• Opportunities
• Strengths

A company identifies a new, more efficient technology used by a competitor. Under which PESTLE category would this factor fall?

Technological (A)

In the context of service management, why is it important to identify and manage interested parties?

To ensure all relevant requirements for the SMS are met (D)

If a SWOT analysis reveals a significant internal weakness, what is the MOST appropriate next step for an organization?

Develop strategies to mitigate or eliminate the weakness. (D)

A service management policy is required. Which of the following MUST be included in the documented information, according to ISO/IEC 20000-1?

Commitment to fulfilling the requirements contained in ISO/IEC 20000-1 (B)

Which of the following is the MOST accurate description of the relationship between issues identified in SWOT/PESTLE analyses and risk/opportunity registers?

Issues identified can evolve into risks or opportunities, creating a need to link them to respective registers. (C)

What does the acronym SMART, used in the context of service management objectives, stand for?

Specific, Measurable, Attainable, Realistic, and Time-bound (B)

Why is it advisable to communicate the high-level objectives of service management to relevant parties, both inside and outside the organization?

To foster alignment and understanding of the goals and direction of the service management efforts. (C)

Which section of the Service Management Plan (SMS) includes details of contracts, SLAs, performance indicators, and other controls with external parties?

External Parties (B)

What is the primary purpose of the 'Measurements and Improvements' section within a Service Management Plan (SMS)?

To document the metrics used to assess the SMS and drive continual service improvement. (C)

Which of the following elements would be typically documented in the 'Limitations' section of a service management plan?

The geographical scope, staff working hours, and financial situation affecting the service management plan. (A)

In the context of a service management plan (SMS), what would the 'Obligations' section primarily address?

A record of all policies, legal, regulatory, and contractual requirements impacting the SMS and services. (C)

Which section of the Service Management Plan (SMS) would typically reference the 'Roles, Responsibilities and Authorities' document from Clause 5.1?

Authorities and responsibilities for the SMS and the services (C)

Why is it important to clearly define the resources required to run the SMS, such as personnel, knowledge management systems, and infrastructure?

To ensure the SMS operates efficiently and effectively, meeting its objectives. (B)

An organization chooses to 'Transfer' a risk. What does this treatment approach primarily involve?

Finding an external party willing to take ownership of the risk. (D)

After implementing an action plan to treat a risk, how should the 'Post action plan risk' typically compare to the original risk value?

It should be lower, indicating the action plan's effectiveness in reducing the risk. (A)

What distinguishes the 'Completion date' from the 'Due date' in a risk management action plan?

The 'Due date' represents the planned completion, while the 'Completion date' indicates the actual completion. (B)

Under what circumstance would the 'Post action plan risk' be the same as the original risk?

When the risk is 'Accepted' without any mitigation efforts. (C)

An organization is creating a risk management framework. Which statement BEST describes how they should approach this task?

Tailor the framework to the organization's specific needs, risk appetite, and operational context. (C)

Which of the following is a critical element in a risk management framework that helps track the progress and effectiveness of risk mitigation strategies?

A log of activities performed to treat risks, including due dates and completion dates. (C)

Consider a scenario where an organization identifies a high-risk vulnerability in its IT infrastructure. They decide to implement a new firewall and intrusion detection system. Which treatment approach does this represent?

Reduce (A)

An organization is developing its risk management processes. While ISO/IEC 20000-1 provides a foundation, what broader guidance can they consult for more comprehensive strategies?

ISO 31000 and ISO 31010 offer detailed approaches and examples for wider risk management implementation. (A)

When collaborating with external suppliers in the service lifecycle, what is the MOST important aspect to define clearly?

The scope of services provided by each party. (C)

An organization is developing a training program for its employees involved in the SMS. Which element is MOST critical to include in the curriculum?

Mandatory courses aligned with their specific roles. (C)

An employee wants to enhance their understanding of a new software application being used by the company. What are the MOST effective methods for gaining this knowledge?

Internal or external training, self-study, or documented procedures. (A)

Maintaining documented process is essential for compliance. What is the ideal way to access documentation?

Store all documentation in a centralized and easily accessible location. (C)

When documenting procedures, the use of screenshots from applications is mentioned. When is this MOST appropriate?

When training staff on step-by-step work instructions. (D)

What is the potential risk if critical knowledge primarily exists within the minds of a few key employees rather than being formally documented?

Vulnerability to knowledge loss if those employees leave or are unavailable. (C)

In a communication plan, what is of primary importance? Think big picture.

Outlining the types of communication, responsibilities, audience, and frequency. (D)

Why is documenting processes important in the service lifecycle?

To ensure compliance with regulations and consistency in service delivery. (A)

Which of the following is a mandatory documented information according to the provided content regarding ISO/IEC 20000-1?

Risks related to the organization, service requirements, and involvement of other parties in the service lifecycle. (A)

What is the purpose of the risk acceptance criterion within the context of risk management for SMS and services?

To define the level of risk the organization is willing to tolerate. (C)

Besides risks to the organization, service requirements, and third-party involvement, what additional risk categories might be included in the risk management phase according to the content?

Risks to service availability, service continuity, and information security. (A)

What is the primary difference between the basic and extended Risk Register Templates provided?

The basic template includes only mandatory fields, while the extended template contains more information suitable for broader risk management. (B)

According to the provided content, what is the role of management in the risk management process?

Management reviews risks to determine their treatment or acceptance. (D)

In the extended Risk Register Template described, how is the overall risk level calculated?

Risk is calculated as Impact multiplied by Likelihood. (D)

What is the significance of documenting the 'approach on how to deal with' identified risks within the context of ISO/IEC 20000-1?

It provides a clear plan for mitigating or managing the impact of potential risks on services. (D)

Why is it important to make the service management policy available to all relevant parties, both inside and outside the organization?

To ensure that everyone understands their roles and responsibilities in delivering services. (A)

What is the primary purpose of the documentation toolkit for ISO/IEC 20000-1?

To offer conformity methods and document templates, that meet the standard whilst going beyond the minimum requirements based on general good practice, benefiting the organization and easing integration with other management systems (B)

What distinguishes 'mandatory' from 'non-mandatory' documented information within the context of ISO/IEC 20000-1?

Mandatory documented information is explicitly required by the standard, while non-mandatory information arises from phrases where the organization must 'determine' or 'ensure' something without a specific documentation requirement. (A)

Which of the following elements is considered mandatory documented information in Clause 4 of ISO/IEC 20000-1?

Scope statement (A)

What is the most basic purpose of the scope statement within an SMS (Service Management System) according to ISO/IEC 20000-1?

To specify what is included in the scope of the SMS, including the organization's name, types of services supplied, locations, and possibly specific customers. (D)

Outside of the scope statement, what analysis types can assist an organisation in determining internal and external issues relevant to it's purpose?

SWOT and/or PESTLE analysis. (B)

Why might an auditor ask for evidence of conformance, even for non-mandatory documentation requirements?

Because documenting these items can benefit the organization, and the auditor will often ask for some sort of evidence of conformance with these requirements. (B)

An organization is implementing ISO/IEC 20000-1. They have created a document detailing their service catalog and service level agreements. Where does this documented information fall?

It is non-mandatory documented information, which is mentioned in the standard, and it benefits the organization to document these items, and auditors will often ask for some sort of evidence of conformance with these requirements. (C)

Compared to the minimum requirements of ISO/IEC 20000-1, how does the documentation toolkit's risk register differ?

The toolkit risk register is quite a bit more extensive than strictly required by the standard. However, in practice, the full extent of it will generally benefit the organization and make integration with other management system standards easier. (D)

Flashcards

SWOT Analysis

An overview of an organization's Strengths, Weaknesses, Opportunities, and Threats.

Interested Party

Internal groups or external parties with an interest in your Service Management System (SMS).

PESTLE Analysis

Political, Economic, Social, Technological, Legal, and Environmental aspects that affect an organization.

Service Management Policy

A document stating an organization's commitment to service management, principles, requirements and improvement.

PESTLE Analysis

Looks at the context of the organization in terms of Politics, Economy, Social, Technological, Legal and Environmental aspects

Political Aspects (PESTLE)

Government policies; wars, terrorism and conflicts; intercountry relationships; bureaucracy.

Economic Aspects (PESTLE)

Local economy; taxes; international trade; seasonality.

Social Aspects (PESTLE)

Brand, company, technology image; ethical issues; culture; media views; demographics.

Risk Level

Categorizes the severity of a risk after calculation.

Treatment

The selected method for addressing a specific risk.

Action plan

A record of the actions taken to manage a risk

Due date

The target date for completing risk treatment activities.

Completion date

The date when the risk treatment was actually finished.

Status

Indicates whether a risk is currently being addressed or if treatment is complete.

Post action plan impact

The reassessed impact of a risk following the implementation of a treatment plan.

Risk Management Framework

Framework to manage risk.

ISO/IEC 20000-1 Implementation Guidance

Practical advice for fulfilling ISO/IEC 20000-1 requirements, including document templates and clause-by-clause guidance.

Mandatory Documented Information

Information explicitly required by the ISO/IEC 20000-1 standard to be documented.

Non-Mandatory Documented Information

Documentation that is not explicitly required but beneficial for demonstrating conformity and for internal operations.

Scope Statement

A document outlining the boundaries and context of the Service Management System (SMS).

Scope Statement (Clause 4)

The only mandatory documented information specified in Clause 4 of ISO/IEC 20000-1.

Scope Statement Content

Includes the organization's name, type of services, locations, and possibly specific customers.

Internal and External Issues

Factors originating from within the organization (e.g., culture, resources) and outside the organization (e.g., market trends, regulations).

SWOT and PESTLE Analysis

Tools used to identify internal and external issues, aiding in strategic analysis.

SMART Objectives

Objectives should be Specific, Measurable, Attainable, Realistic, and Time-bound.

Service Management Plan

A high-level document describing what is needed to run the SMS and provide services.

Third-Party Services

Includes contracts, SLAs, performance indicators, making sure what is necessary is provided.

Technology (for SMS)

Needed to run the SMS, possibly already covered in the 'Resources' section.

Measurements and Improvements

Used for internal audits, reporting, and continual service improvement.

List of Services

Services in scope of the SMS.

SMS Limitations

Limitations such as geographical scope, staffing, or financial constraints.

SMS Obligations

Relevant policies, standards, and legal/contractual requirements.

Service Lifecycle Parties

Document who provides services, like outsource partners or suppliers.

SMS Personnel Competence

Technical skills, communication, product knowledge, process knowledge, etc.

Required Training Courses

Courses that are part of the curriculum for a specific role.

Non-Required Training Courses

Courses taken outside the standard curriculum.

Process Documentation

Documented templates for processes required by the standard.

Procedures

Step-by-step instructions, often with application screenshots.

Knowledge Documentation

Training materials, process documents, incident records, and policies.

Communication Plan

An overview of communication types, reasons, responsibilities, audience, and frequency.

Risk Management in ISO/IEC 20000-1

The process of identifying, assessing, and controlling risks that could impact the organization's services or SMS, focusing on service requirements and involvement of other parties.

Risk Register

A document that contains information about identified risks, their assessment, and planned responses. It can range from basic to extended, incorporating elements for broader risk management.

Risk Owner

The person responsible for taking action to manage a specific risk.

Impact (of a Risk)

A measure of the potential damage or loss if a risk occurs, often rated on a scale (e.g., 1-5).

Likelihood (of a Risk)

The probability or chance that a risk will occur, usually rated on a scale (e.g., 1-5).

Risk Score

A calculated value representing the overall level of risk, often determined by multiplying the impact score by the likelihood score.

Study Notes

• Chapter provides guidance to implement and document the requirements of ISO/IEC 20000-1.
• Explains ways to conform and refers to document templates from the ISO/IEC 20000-1:2018 Documentation Toolkit based on the standard's text.
• Guidance often exceeds the standard's requirements, based on general good practices.
• The risk register in the documentation Toolkit is more extensive than strictly required, benefiting the organization and integrating management systems.
• Mandatory documentation is explicitly mentioned in the standard as available.
• Non-mandatory documentation is mentioned in phrases like "the organization shall determine" without explicit availability requirements, but is in the Toolkit.
• Documenting non-mandatory items benefits the organization, and auditors often seek evidence of conformance.

Clause 4

• Template: 4.3 Scope.docx
• The only mandatory documented info is the scope statement (Clause 4's requirements).
• Scope statement: single sentence with organization's name, service types, locations, and possibly customers.
• Toolkit document: includes intro, terms, definitions, policies, organization chart, scope statement, and future scope changes.
• The toolkit is more extensive, with useful but non-mandatory information

Non-mandatory Documented Information

• Clause 4.1: Issue Tracker (4.1 Internal and External Issue Tracker.xlsx template).
• Clause 4.2: Interested Parties (4.2 Interested Parties.xlsx template).
• Determining relevant internal and external issues can result from SWOT and/or PESTLE analyses.
• SWOT analysis is an overview of internal Strengths and Weaknesses, and external Opportunities and Threats.
• The Internal and External Issues Tracker template is a more detailed version, registering issues with follow-up actions and owners.
• Issues may become risks or improvement opportunities, linking to respective registers.

Interested Parties

• Interested parties can be internal groups (HR, Finance, Sales, Security) or external (customers, suppliers, regulatory bodies).
• The interface between organization and interested party is a contact person or system.
• The reason why the party is interested is based on requirements for SMS and services.
• PESTLE analysis examines Politics, Economy, Social, Technological, Legal, and Environmental aspects.
• Political aspects: Government policies, wars, terrorism, intercountry relationships, bureaucracy.
• Economic aspects: Local economy, taxes, international trade, seasonality.
• Social aspects: Brand, company/tech image, ethical and cultural issues, media views, demographics.
• Technological aspects: Emerging technologies, competitor technology; development, market readiness.
• Legal aspects: Current/future legislation, regulatory bodies, competition law, and industry regulations.
• Environmental aspects: Environmental regulations, ecology, and sustainability.
• SWOT and PESTLE produce a list of issues/factors, positive/negative, internal/external, in a simple list.

5.2 Clause 5

• Mandatory Documented Information:
  • Clause 5.2: Service Management Policy (Template: 5.2 SM Policy.docx).
• The service management policy is concise, stating commitment to service management and establishing a framework of service objectives.
• Policy commits to fulfilling ISO/IEC 20000-1 requirements and continual SMS/services improvement.
• The template may be altered to reflect the service management principles used in an organization.
• Ensure the policy is available to relevant parties.
• Non-mandatory Documented Information:
  • Clause 5.3: Roles, Responsibilities, and Authorities (Template: 5.3 RRA.docx).

5.3 Clause 6

• Mandatory Documented Information:
  • Clause 6.1: Risks (Template: 6.1 Risk Register.xlsx & 6.1 Risk Register - Basic.xlsx).
  • Clause 6.1: Impact of Risks (Template: 6.1 Risk Register.xlsx & 6.1 Risk Register - Basic.xlsx).
  • Clause 6.1: Risk Acceptance Criteria (Template: 6.1 Risk Management Framework.docx).
  • Clause 6.1: Risk Management Approach (Template: 6.1 Risk Management Framework.docx).
  • Clause 6.2: Service Management Objectives (Template: 6.2 SM Objectives.docx).
  • Clause 6.3: Service Management Plan (Template: 6.3 SM Plan.docx).
• Risk management in ISO/IEC 20000-1 isn't a heavy process. Documenting is limited to risks related to the org, not meeting service requirements, and other parties in service lifecycle.
• Includes the impact upon customers for the SMS and services needs to be determined, together with a risk acceptance criterion
• Additional risks identified elsewhere might also include service availability, service continuity and information security risks..
• Two provided Risk Register Templates: basic or extended (containing more info, also for risk management in ISO/IEC 27001).
• The risk register provided is a general operational risk management tool.
• Roles, responsibilities, and authorities for running the SMS in practice can be in the job descriptions of personnel.
• To highlight specific roles/responsibilities/authorities/qualifications explicitly, use the template document.
• In a straightforward spreadsheet:
  1. Date risk opened.
  2. Name of risk.
  3. Description.
  4. Reference number.
  5. Date of last update.
  6. Relevant ISO standard (20000-1 in this case).
  7. Owner of risk (the person who acts).
  8. Management review (indicator of whether management has reviewed).
• Impact rated on a 1 (Low) to 5 (High) scale if risk happens.
• Likelihood rated on a 1 (Low) to 5 (High) scale.
• Risk = Impact x Likelihood, scale of 1 to 25.
• Risk level: High, Medium, or Low (based on item 11).
• Treatment is the chosen approached: Accept (do nothing), Reduce (implement controls), or Transfer (someone else accepts the risk).
• Action plan: log of risk treatment activities.
• Due date: date risk should be treated.
• Completion date: actual treatment completion date.
• Status: open or closed.
• Post-action plan impact (same as Impact), recalculated after treatment, should be lower than original unless risk is accepted.
• Post-action plan likelihood (same as Likelihood), recalculated after treatment, should be lower unless accepted.
• Post action plan risk (same as Risk), recalculated after treatment, should be lower unless accepted.
• Post action plan residual risk level (same as Risk Level), recalculated after treatment, should be lower unless accepted.
• Risk acceptance criteria and approach can be documented; the exact details vary across organizations.
• Template provided: the Risk Management Framework, tailorable to the organization's needs.
• Risk management has a broad area.
• ISO/IEC 20000-1 has low IT demands.
• A lot of literature how to handle risk management, although it goes beyond ISO/IEC 20000-1.
• International Standard for Risk Management: ISO 31000 (approaches in ISO 31010).
• Necessary documented information is optional from ISO/IEC 20000-1 perspective.

Service Management Objectives

• Defined as part of annual performance objectives, set at various levels, based on service management policy framework.
• Should be SMART: Specific, Measurable, Attainable, Realistic, and Time-bound.
• Template: free-form doc with with high-level service management objectives to translate into objectives for specific functions internally.
• High-level objectives should communicated.
• The service management plan is a high-level doc describing how to run SMS and supply services, that it is operated by those parties and controls to ensure necessary conditions..
• Mention Contracts, SLA's, performance indicators and controls

Technology

Describes the technology is needed to run the SMS.

Measurements and Improvements

This section documents the measurements taken of the SMS and the services to verify that everything is running optimally.

5.4 Clause 7

• Documented info on measurements are used for audit, and input from the improvement process.

Mandatory Documented Information

• Clause 7.2: Competence (Template: 7.2 Competence.xlsx).
• Clause 7.5: Processes (Template: 7.5 Process Template.docx).
• Clause 7.5: Procedures (Template: 7.5 Process Template.docx).
• Clause 7.6: Knowledge (Template: N/A).
• List of services: list of your services in scope of the SMS.
• Limitations: list of limitations (geographical scope, staff hours, finances, customer requirements).
• Obligations: list of obligations (policies, standards, legal, regulatory, contractual requirements, and how these obligations apply to the SMS and the services).
• Authorities/responsibilities for SMS and its services are in the Roles, Responsibilities, and Authorities document.
• Resources: list of resources (personnel, knowledge management system, documentation, servers, and desktop computers.
• List of resources needed to run the SMS.

Approach for Parties for the service lifecycle

• Other parties involved in the service lifecycle used to provide services can be described.
• Determine the need from competence personnel.
• Competence ranges from Skills to abilities. It can be obtained via internal or external training.
• Use internal or external training, self-study consultation from documented processes
• Organization maintains form training database (template: spreadsheet, employee, name, hiring date, training and completion date)).
• Columns distinguish "required" versus "non-required" courses, followed outside of curriculum.

Processes

• All standard needed processes documented and process template toolkits.
• All Elements describe the clause

Procedures

• You procedures can be written as step-by-step instructions or screenshot.
• Templates contain sections described

Knowledge

• Knowledge exists in many forms.
• Since this has a broad area, no template has been provided.
• Organization makes sure knowledge is documented.

Non-mandatory documented information

• Clause 7.4: Communication Plan (Template: 7.4 Communication Plan.xlsx).
• Clause 7.5.1: Documented info determined by the org as necessary for SMS effectiveness (Template: NA).
• Clause 7.5.3: Doc'd information of external origin the org needs for planning/operation of SMS (Template: NA).
• Clause 7.5.4: Processes of the organization's SMS (Template: 8 Process Template).
• Clause 7.5.4: Records required as evidence to requirements of standards the SMS (Template: NA).
• The communication plan is an overview of what takes place and why.
• Template has examples for communication plan, which needs to be reviewed regularly.
• Other documents of internal/external origin relevant to the organization's particular SMS are not mentioned in the standard.
• All process used in the SMS needs to be documented, discussed and in detail are are mentioned in the tool kit
• Section 7.5.4 requires to give your records to show illustrate conformity to requirements.
• However this can be shown in minutes, presentation, and risk.

Description

Explore frameworks like SWOT and PESTLE for strategic planning. Understand internal/external factors impacting organizations. Learn about service management policies and risk management.