ISO/IEC 20000-1:2018 - Certified Lead Auditor PDF

ISO/IEC 20000-1:2018 - Certified Lead Auditor Service management 1. why is it needed? Services are as old as the world — various forms of services have been around for a long time, including legal services, transport services and governmental services. As a subset, Information Technology (IT) services have been around a bit shorter. IT services importantly gave rise to what was known as IT Service Management (ITSM), because a need was felt better to control these services and the costs of them. ITSM, in turn, has been generalized to general Service Management, by applying its principles to other services than IT. In fact, most, if not all, services today contain some IT component, if even as limited as a payment method or a website. This book, and the ISO/ IEC 20000-1 standard, therefore refer to Service Management rather than ITSM, just to show how it can be applied to all types of services. Contrary to popular belief, service management does not have to be an old- fashioned, rigid frame- work that slows down every effort in bringing positive changes. This is despite the fact that the fast- paced development of services today, pushed by (and, in turn, leading to) rapidly evolving customer requirements, result in many developers believing that traditional service management needs to make way for "newer" frameworks, such as Lean, Agile, DevOps and other related methodologies. In reality, the new ISO/IEC 20000-1 standard fully supports the use of these newer methodologies, but it can also be used with more traditional approaches to service management. A standard like ISO/IEC 20000-1 does not prescribe how you should implement your service management processes; it only states what these processes should conform to. This opens up a range of possibilities for organizations to implement their processes in a way that is suited to their circumstances. Even a framework such as ITIL', which is far more prescriptive, is clear regarding the modification of its processes to the organization's needs. I tend to modify its slogan to Adapt and Adopt. You need to be able to adapt your service management practices to your organization's culture and then adopt said practices to maximize the outcome. 4 2. You can conform to all requirements of ISO/IEC 20000-1 in various ways, adapted to the management practices you have adopted and the services you provide. It applies to both waterfall-type service implementations and restrictive change management practices, as well as to continuous delivery practices with a rapid change approval turnaround time. It is all dependent on what your service management policy (the high-level statement by which service management is governed) and your principles (the related statements on what is permissible in, for example, change or incident management) are. These, in turn, are dependent on the culture of the organization. What makes service management so valuable is that it enables a structure for provisioning that can be adapted to the culture of the organization. People working within this structure know the level of flexibility and autonomy needed to make decisions independently for the organization. Customers are aware that they can expect consistent value from the services they purchase, and management know they have a structure in place that promotes efficiency, reduces costs and keeps customers satisfied. 3. The ISO/IEC 20000 standard 3.1 THE ISO/IEC 20000 SERIES OF DOCUMENTS ISO/IEC 20000 is not a single document — there is actually a series of ten, in which the primary standard (i.e., ISO/IEC 20000-1:2018) is included. ISO decided to distinguish these documents as parts of the 20000 series by assigning numbers to them, hence the primary standard is 20000-1. Other parts of the 20000 series are as follows: (Note that with the release of the 2018 edition of Part 1, some dependent parts that are currently published still refer to the 2011 edition and will be updated.) ISO/IEC 20000-1 is the international standard for service management, providing requirements to which a service management system (SMS) should conform. ISO/IEC 20000-10 (also known as Part 10, and updated in 2018) is the general introduction to the series, containing descriptions of the aims of 5 ISO/IEC 20000, as well as the various other parts and ISO standards related to it. It also contains all terms and definitions used in the series. ISO/IEC 20000-2 (Part 2) is a larger document. Part 1 specifies concise and precise requirements that can be audited, whereas Part 2 provides further guidance on how to interpret and implement the requirements. ISO/IEC 20000-3 (Part 3) provides guidance on how to define a scope for Part 1: we will see that this is an important aspect in implementing the standard, which may become complex if you are using one or more internal or external suppliers. ISO/IEC 20000-5 (Part 5) is an example of an implementation plan for an SMS according to Part 1. As well as a project plan, it also includes guidance on areas such as a business case and templates. ISO/IEC 20000-6 (Part 6) provides requirements for certification bodies when they audit an SMS based on ISO/IEC 20000-1. Part 6 is valid for both the 2011 and the 2018 editions of Part ISO/IEC 20000-7 (Part 7) provides guidance on the integration and correlation of management systems based on ISO/IEC 20000-1, ISO 9001 (quality management) and ISO/ IEC 27001 (information security management). ISO/IEC 20000-11 (Part 11) makes a comparison between Part 1 and the information Technology Infrastructure Library (ITIL). ISO/IEC 20000-12 (Part 12) makes a comparison between Part 1 and the Capability Maturity Model Integration for Services (CMMI -SVC). ISO/IEC 20000-13 (Part 13) makes a comparison between Part 1 and Control Objectives for Information Technology (COBIT ). Some parts (4, 8 and 9) seem to be missing from this series; this is due to either cancelling their development, withdrawing or renumbering them. 6 3.2 THE STRUCTURE AND CONTENTS OF ISO/IEC 20000-1:2018 ISO/IEC 20000-1 is now aligned with the high-level structure and terminology of what is referred to as the "Annex SL", which is an appendix to the ISO Directives. This structure has been, or will be, applied to all management system standards, including the latest editions of ISO 9001 (Quality Management Systems), ISO/IEC 27001 (Information Security Systems), ISO 14001 (Environmental Management Systems) and many others, now also including ISO/IEC 20000-1. Applying the high-level structure results in many requirements being identical or at least very similar right across these standards, making the integration of multiple management systems much easier. If you already have, for example, an ISO 9001:2015 certification, then part of the work you have completed to achieve that can be re-used for your ISO/IEC 20000-1:2018 certification. "This new structure of ISO/IEC 20000-1:2018 is quite different from the 2011 edition, but you will still find similar requirements in both editions, although these will be in different places. If you want to know exactly what has changed between the two editions, refer to Appendix B for an overview. The high-level structure of these standards is indicated below. In what follows, the specific content of ISO,'IEC 20000-1 is described. Clause 1 — Scope A general description of what the standard entails. It states that ISO/IEC 20000-1 covers the establishment, implementation, maintenance and continual improvement of an SMS. The standard is applicable to all types of services, be it IT, such as cloud hosting, or non-IT, such as transport or health care. It is also applicable to organizations of any size, ranging from self- employed consultants to large corporations. Clause 2 - Normative references This section may contain a reference to other standards that may have to be used in combination with this one. ISO/IEC 20000-1 has no references here, and therefore can be used as a stand-alone standard. Clause 3 - Terms and definitions A list of terms used in the standard, defining the context of words such as 'organization', 'service', 'incident', etc. Many of these come from Annex SL, 7 indicated in Clause 3.1, while others have been specifically added for ISO/IEC 20000-1, in Clause 3.2. The list of terms and definitions in ISO/IEC 20000-1 is also identically included in ISO/IEC 20000-10. Clause 4 - Context of the organization This is where the actual requirements for the SMS start. This section is mostly based on the default Annex SL requirements, similar to other management system standards. Clause 4 asks you to perform a number of basic activities to determine the environment that the SMS and services are in. This includes a list of issues both inside and outside of your organization that may have an impact on how you operate the SMS and the services, achieve their objectives and generate value for customers. Issues can be either positive or negative — the possible impact of competition can be an issue, but also the availability of staff in the market. You should also identify the internal and external stakeholders ("interested parties" in the standard) who have an interest in what your organization does, such as your employees, customers, regulators, HR team, competitors, unions, etc. These groups interact with you and have certain needs and expectations of which you need to be aware. The third part of this section asks you to define a scope for the SMS, indicating what part of the organization and what services are included. This is a statement similar to the following: "Tie SMS supporting the utility services provided by Clean Water, Inc. from Jakarta, Indonesia". These statements can get quite complex, however, which is why ISO/IEC 20000-3 has been written to guide you through defining the scope of your SMS in more complex cases, such as when you use one or more suppliers to provide your services. Clause 5 — Leadership This clause has requirements for the organization's top management, i.e. the people accountable for the SMS, who need to support the establishment of the SMS and provide an appropriate level of involvement to successfully implement and run an SMS that supports the services delivered to the customers. Leadership support is fundamental to running a successful SMS. Therefore, top management need to explicitly show their involvement in the following areas: 8 Making sure a service management policy (stating overall direction for the SMS), service management objectives (stating measurable targets for the SMS) and a service management plan (stating how the SMS is to be implemented and maintained) are created and communicated to all involved parties; Making sure third parties involved in the SMS, such as suppliers, are controlled, for instance through the use of service level agreements (SLAs); Making sure the SMS meets its objectives and the services meet their outcomes, e.g. by measuring the service management objectives and the customer SIAs; Making resources available, such as staff, information, budgets and technical resources, to run the SMS and the services; Assigning roles, responsibilities and authorities to the right people who run so they can independently make relevant decisions. Note that top management is not usually the same as a governing body: the latter is part of larger companies consisting of a board of directors, who have a more strategic role rather than a management one. A governing body would be responsible for governance, including evaluating, directing and monitoring the organization, which top management would implement for them in an operational environment. In smaller companies however, the roles of the governing body and top management may well be fulfilled by the same person(s). Governance of IT is covered in ISO/IEC 38500. The service management policy is a high-level statement of intention and direction for the SMS and services. It should show commitment to satisfy requirements for the SMS and state support for continual improvement, providing the framework for the service management objectives defined in the next section. Clause 6 — Planning This clause contains requirements for the planning of the SMS, including risk management, setting service management objectives and planning to create the SMS itself. A certain level of risk management is required, albeit not very extensive, to assess risks and opportunities related to the SMS and services. These often 9 follow on from the issues and stakeholders you identified in Clause 4, and should be assessed and treated where required. Service management objectives need to be set at all levels in the organization, so that everyone involved is aware of the goals of the SMS. The service management objectives state measurable targets for the SMS and the services, being regularly assessed and updated where needed. These can simply be part of the regular performance objectives many organizations already set on an annual basis. Based on all of the information gathered in Clauses 4 to 6, you can now plan the actual SMS. This should be documented in a service management plan, containing the list of services, any restrictions and obligations, authorities assigned to support the SMS, resources needed and the way in which the success of the SMS is going to be measured, assessed and improved. This helps people working in the SMS to understand its purpose and deliver the services. Clause 7 — Support After going through the preceding clauses, the organization has reached the stage where the support needed for the SMS and the services can be determined. This includes the requirements for communication, competency, knowledge, awareness, providing resources for the SMS and creating and maintaining documentation for it. This section also contains a list of key documentation needed for the SMS, although there is more required in Part 1. Resources need to be made available to support all phases of the lifecycle of the SMS and services. These not only include human resources, but also financial, technical and information ones. The competence of people supporting the SMS and the services needs to be planned, assessed and managed to ensure proper operation, whilst education and experience should be increased where required: the right person needs to perform the right job. All people working in the context of the SMS need to gain awareness of the service management policy, objectives and services, so that they have direction for their own activities, are motivated, and understand how best to provide support. 10 Communication is central to any well-functioning organization. You need to determine what to communicate at what time, as well as how and to whom, so that all relevant stakeholders are aware of what is expected from them. Service management, even with an Agile approach, does not work well without some level of documentation: this is to not only prove how well your SMS is functioning, but more importantly to lay a foundation for the work people are doing. Service documentation in relation to policies, objectives, processes and reports need to be created, maintained and controlled so that it can be referred to as the agreed way to develop, support and improve the SMS and the services. The final subject covered in this section is knowledge: you should determine what knowledge is required to support the SMS and the services, making sure it is available and accessible to the people who need it. Knowledge may include documentation, such as design specifications, or databases with incident tickets, for example. This supports the effective operations of the SMS and the services by enhancing collaboration and knowledge-sharing. For example, service documentation is necessary for customers to make use of self-service facilities, so it can be ensured the SMS is well operated and accessible. Clause 8 — Operation This clause contains all requirements for what can be recognized as the main service management processes. It is by far the largest section in the standard, as it has extensive requirements for the following processes and activities: Operational planning and control: this area requires you to control all processes needed to meet the requirements of the SMS and the services, including those that are outsourced to third parties. It is to be done in alignment with the service management plan (described in Clause 6.3) in conjunction with others so that service requirements are met, and the service management objectives (described in Clause 6.2) are achieved. Service delivery: asks you to coordinate the activities and resources needed to operate the SMS and the services. Plan the services: deals with determining service requirements, identifying services based on their criticality and aligning them with the service 11 management policy, objectives and requirements. The aim is to plan the services effectively, so that the business objectives of the service provider and the outcomes of the SMS are achieved. Control of parties involved in the service lifecycle: this section is important in that it requires you to control the services, components or processes that you may have outsourced to others, while retaining accountability for the whole SMS and service lifecycle end-to-end. This ensures that all processes and services generate their desired outcomes and that the service management objectives are achieved. It is made explicit that not all elements in scope of your SMS may be outsourced: you need to at least achieve the requirements in Clauses 4 and 5 yourself; requirements in Clauses 6 to 10 may be achieved with the help of third parties. Service catalogue management: create a catalogue listing the services, their outcomes and any dependencies, for the benefit of both your internal organization and your customers' expectations. You can create multiple service catalogues for different audiences, such as an internal one and a customer-facing one. Asset management: this clause has a single requirement which is to identify the assets needed for provisioning the services (such as hardware, software, people, and real estate) and making sure they are managed to meet service requirements and obligations such as the legal and contractual requirements. Configuration management: this applies to those elements of the services that need to be controlled throughout their lifecycle, known as configuration items (CIS). Cls can, for example, be servers, software, trucks, and other vital parts of the service you are providing. You need to maintain the configuration information of these items so that the information can be used by other processes, such as incident and change management. Business relationship management: this refers to the process of setting up communications between your organization and customers to ensure the needs and business outcomes are known and met by the services. Reviews are to be held to look at the trends of the service performance and whether outcomes are achieved; measuring customer satisfaction and complaints handling are also part of this area. 12 Service level management: service level agreements (SLAs) should be established between the service provider and the customers, based on the agreed service requirements, so that agreed service levels can be maintained. Supplier management: suppliers, who can be internal, external or customers acting as a supplier, need to be controlled to make sure services are provided in a seamless manner. Contracts are set up with external suppliers and documented agreements are set up with internals or customers acting as suppliers. "The performance targets for suppliers need to be kept aligned with the SLAs agreed with customers: otherwise, you may not be able to meet the SLAs due to the fact that suppliers are held to more relaxed targets than what you have agreed with your customers. Budgeting and accounting for services: this clause should be part of the overall financial management practices of your organization, but specifically applied to the services. The standard asks you to keep track of the costs made in the SMS against the budget allocated to it in order to control the total finances and be able to make decisions based on the financial performance of the services. Demand management: requires you to keep track of the demand for your services. This process works closely with capacity management, which is used to adjust the service to meet the demand for it. Capacity management: the capacity of resources supporting the services needs to be sufficient to meet the service requirements, both at present and in the future, and should therefore be measured and adjusted where required. This not only includes technical capacity (such as bandwidth), but also human (the number of people employed on a service desk), financial (budget needed to refresh computers) and information (capacity of the database behind a ticketing system) resources. This links back to the requirements for resources in Clauses 5 and 7. Change management: this process is critical to controlling the services appropriately by controlling changes made to them without causing unwanted service outages or reduction in quality. Accordingly, it requires a policy of its own to outline the types of changes (e.g. standard, major, minor, emergency) as well as how best to manage them based on the service provider's direction 13 (including flexibility in who can approve changes). Change requests should be properly initiated, evaluated and approved before being carried out via release and deployment management. This ensures stability of the services. Service design and transition: this area focuses on managing requests for changes to existing or new services which are categorized in the change management policy as requiring a project, due to their potential impact on customers or existing services. It ensures that these can be in Clause 6.3) in conjunction with others so that service requirements are met, and the service management objectives (described in Clause 6.2) are achieved. Service delivery: asks you to coordinate the activities and resources needed to operate the SMS and the services. Plan the services: deals with determining service requirements, identifying services based on their criticality and aligning them with delivered and managed within budget with the agreed service quality, including all removal and transfer of services to other providers as well. This process has a project lifecycle to exercise additional control, including planning, designing, building and transitioning the service into the live environment. It is very closely associated with change, configuration and release and deployment management. Release and deployment management: this set of activities is where the changes are deployed into the live environment, often based on approved change requests from change management, or pre-approved service requests (e.g., password resets). It can be for a single change or a group of changes batched together into a single release. The aim is to control these activities so that new releases are implemented without unplanned interruption to the services. Incident management: interruptions to services happen, both due to human error and to technological issues, and therefore need to be properly handled in terms of recording, prioritization and resolution. The aim of incident management is to get the service back up and running as quickly as possible without necessarily finding or fixing the underlying cause - determining the cause of an outage is part of problem management. Major incidents require their own procedure, with more attention from top management. 14 Service request management: service requests are activities that can be handled without going through the full change management process, such as information or access requests, or pre- approved changes. Password resets, requests for access to systems, and requests for documentation or other information are all part of this. These requests need to be handled efficiently in relation to recording, prioritization and fulfilment so that users continue to benefit from the services. Problem management: a problem is the cause of one or more actual or potential incidents and, as such, problem management is closely related to incident management. It exists to identify and analyse the root causes of problems and make sure they don't create incidents that impact services in the future. As with incidents and service requests, problems need to be recorded, prioritized and resolved, and it may be necessary to raise a change request to fix the cause. Service availability management: the availability of the services is considered the main requirement from customers, hence why any risks to this need to be recorded and handled to ensure continual use. Availability should be monitored and compared to what was originally agreed in the service targets. Service continuity management: similar to availability, risks to continuity of the services need to be identified to ensure customers can use the services. A service continuity plan needs to be created to cater for major outages — this can be part of an overall business continuity plan. Information security management: information security is, in a broader sense, the subject of ISO/IEC 27001. The requirements in ISO/IEC 20000-1 are, in comparison, much lighter. There needs to be an information security policy providing direction on how the confidentiality, integrity and availability of information used by the services and in the SMS are to be assured. Performing an information security risk assessment leads to setting controls that aim to make sure information is kept secure at all times, for instance through physical security measures (using badges for building access) or logical security (implementing firewalls and cyberattack prevention measures). Information security incidents are to be handled in similar ways as other incidents, but taking the impact on the information security risk into account. 15 Clause 9 - Performance evaluation The requirements in this clause cover the evaluation of the SMS, including measuring, undertaking a management review, carrying out an internal audit and reporting. "This section is primarily Annex SL-based, but ISO/IEC 20000-1 adds a number of requirements that are specific to service reporting. Overall, the aim is to monitor, measure, analyse and evaluate the SMS so that it can be managed effectively and support the organization. Aspects of the SMS and the services, such as service level targets or process efficiency, need to be measured, monitored and reported on. This serves as part of the input for a regular review meeting, which is a chance for top management to assess the state of the SMS and the services from various perspectives in order to make beneficial decisions. Any required changes, risks or opportunities for improvements in the SMS or the services should be discussed as part of this review. An internal audit program is necessary to regularly assess the SMS and provide information on whether it meets the standard's requirements or any other requirements the organization has for it. This audit should be performed by someone who is sufficiently independent of the area that is being audited to prevent bias during the assessment. Finally, service reporting needs to be implemented to show how well the SMS and services are performing. This information can then be used by several stakeholders in order to make appropriate decisions, such as increasing the capacity of the services or creating new ones. Clause 10 — Improvement This clause focuses upon ways in which the SMS can be improved, such as dealing with non-conformities and ensuring continual improvement. Nonconformities, i.e., anything that deviates from meeting requirements in Part 1 or the organization's own requirements for the SMS, need to be identified, analysed and corrected. Actions should be taken to prevent any recurrence and ensure continued performance of the SMS. Continual improvements should be implemented so that value creation for the customer is ensured, and these should be carried out using specific targets 16 (related to quality, performance or cost etc.) which are to be measured and reported on. Various methodologies can be used for improvement such as Lean, Six Sigma', the Deming Cycle (Plan-Do-Check-Act, PDCA), etc. 17

ISO/IEC 20000-1:2018 - Certified Lead Auditor PDF

Document Details

Tags

Related

Summary

Full Transcript