ISO/IEC 20000-1 PDF - Service Management System Requirements

The Service Continuity Plan needs to contain the following information: Criteria and responsibilities for invoking service continuity Procedures in the event of a major loss of service Targets for service availability when the service continuity plan is invoked Service recovery requirements Procedures for returning to normal working conditions Any results of service continuity tests can be documented in the plan as well. In addition, risks to service continuity can be documented in the Risk Register. Reporting on what caused a service continuity event, what the impact was and when the service continuity plan was invoked can be done using the generic Report Template. 5.5.21 Information security management Opportunities for improvement and implemented 10.2 CSI Register.xlsx improvements 50 The list of nonconformities is based on (internal) audit findings. The template is a simple spreadsheet with a reference number, description of the nonconformity, owner, due date, action log, completion date and status. The CSI Register is based on any opportunities for improvement that have been raised as outputs from processes, a formalized continual service improvement plan, risks, and other sources of improvements. The template is a simple spreadsheet with a reference number, description of the CSI opportunity, owner, due date, action log, completion date and status. An internal audit program should be created, which can typically take place once a year, or alternatively be broken into multiple sessions throughout the year. Qualified personnel should be responsible for these and have knowledge of the applicable standard for internal audits of management systems, ISO 19011. Note that this needs to be done irrespective of whether you want to have an external (certification) audit as well. The setup for this internal audit is described in the Internal audit program template. The deliverable of an internal audit is the Audit Report. 5.6.2 Management reviews Management reviews should be held at least once a year, though twice is preferable. The aim of these reviews is to keep top management informed about the state of the SMS and the services. The input to the management review comes primarily from other documented information that you should already be maintaining, such as the risk register and measurements of processes and services. The management review is an executive summary of these operational documents, so should not go into full detail but rather cover the main points and overall trends. The template provided is an outline with guidance of the required sections of the management review. 51 6. Implementing the requirements of ISO/IEC 20000-1:2018 Running the SMS and the services The success of running an SMS and providing services is not guaranteed by simply being able to produce documented information such as that described in the previous chapter. The reality is that a successful SMS is consistently integrated into the daily operation of a service provider, with documented information only being a product of the daily operation. This chapter addresses the practical aspects of running an SMS and it associated services, from planning through implementation and operation, to evaluation and continual improvement. It is not completely coincidental that these phases reflect the Deming Cycle (Plan-Do-Check-Act, PDCA), because, even though the explicit use of PDCA is no longer in the standard, the methodology still works as a simple framework that can be applied to the SMS and the services. 6.1 PLANNING 6.1.1 Planning the SMS Any initiative to start developing an SMS is almost always triggered by the need for a change in the way a service provider handles its services. This trigger can come from various sources: Internal needs to reorganize, reduce costs, or increase revenue; Customers may indicate that they want other features in their existing services, indicating dissatisfaction with their current service performance; Competitors may provide new services that eat away market share; Innovation, possibly triggered by the increased focus on digital transformation, may be initiated by the service provider itself. Various improvement methodologies other than the Deming Cycle, such as Lean, Six Sigma, ITIL's seven step continual improvement process, or others, can trigger both the large- and small-scale improvements necessary in the services and existing service management practices. In any case, an SMS based on ISO/IEC 20000 will rarely be developed when no service management practices already exist. It will usually build on existing practices, however rudimentary, and improve these to meet service requirements. Planning activities are responsible for most of the work involved in the implementation of an SMS. If planning is done well, operating, evaluating and 52 improving the SMS become much easier. You should therefore spend a considerable amount of time in this planning phase, starting by creating a very high-level picture of what the SMS should look like. Take inspiration from Figure I in ISO/IEC 20000-1:2018, which shows the general outline of the requirements in the standard. Determine what this structure means for your organization and what the immediate activities are that you should initiate in order to plan the development. The high-level activities outlined in Chapter 4 of this book indicate the planning activities needed. Creation of initial documentation, as discussed in Chapter 5 of this book, is another set of activities that will aid the planning process. However, it should be the actual service requirements where it all starts. As Clause 1.1 of ISO/IEC 20000-1 states, the aim of an SMS is to meet the service requirements and create value. You can only determine what these service requirements are and how the services can create value by asking the stake- holders of the SMS and the services: customers, suppliers, employees, management, supporting departments, etc. All should be listed as interested parties, and will have requirements for the SMS and the services that you need to consider in this planning phase. In particular: Customers will have requirements specific to the performance and availability of the services and effective support from the service provider. Suppliers will have requirements in terms of a smooth interaction between themselves and the service provider. Employees will have requirements for a set of effective processes that support them in their daily activities. All interested parties have different ways of determining what value the SMS and the services create for them. Value can exist in terms of: Return on investment (the organization's top management); Effective support of the business outcomes (customers); Job satisfaction (employees); Fulfilment of commercial goals (suppliers). Note that these examples of value are different for each stakeholder. Value co- creation (as used in some service management frameworks) is therefore never the creation of the same value by multiple stakeholders; instead, it is the 53 simultaneous creation of different types of value for different stakeholders through the provision of the services. The practical activity required to identify service requirements and value creation consists of simply talking to these stakeholders and creating a list. The list of service requirements can then be prioritized and used for the planning of the SMS. This is not a one-time activity: PDCA is a cycle, meaning that you will continually move back to this planning phase and conduct this exercise over and again. The prioritization of the service requirements and understanding value are activities that require the involvement of top management. It is clear from Clause 5 of the standard that top management needs to be involved in many steps during the complete lifecycle of the SMS and the services: after all, they are accountable for the success. In practice, this means that top management has an active role in the planning phase as well, by ensuring that all activities that are needed to establish the SMS are actually performed. This goes far beyond receiving a report regarding the progress of a project team that is establishing the SMS. It means getting actively involved where needed, for example by taking part in some sessions to prioritize service requirements, developing the service management policy and objectives, or actively contacting employees, customers and suppliers to listen to their opinions about the SMS and the services. Sometimes it makes sense for the team that is involved in the planning of the SMS to provide some explicit input to top management for them to communicate to the organization or other stakeholders. This can, for example, be in the form of talking points for town hall meetings or text used for internal or external communications to emphasize aspects such as policies, compliance, or the need for change. A good relationship with top management is indispensable in getting them involved with the SMS and the services at all stages. Active participation by top management is very important to emphasise the credibility of the efforts to plan and implement the SMS. Three important parts of the SMS that top management should ensure are created are the service management policy, service management objectives and service management plan. The policy provides high-level guidance on the aims of the SMS, what top management wants to achieve with it, and their 54 commitment to conform with the requirements that apply and improve when needed. The policy sets a framework for service management objectives, which can be part of an annual performance management cycle. These objectives are set in collaboration with all relevant stakeholders and are measurable performance targets for the SMS and the services. A plan should be created that outlines how these objectives are going to be met. The policy and objectives are inputs for the service management plan, together with the service requirements and other information. The plan unites all aspects of this planning phase and provides an overview of how the SMS and services will be operated, measured and improved, as well as what resources are going to be used to carry this out. In short, the service management policy describes why we need an SMS, the service management objectives describe what we are trying to achieve and the service management plan described how it is to be achieved. Top management also has a responsibility to make resources available to run the SMS and the services. These resources consist of people, information, finances and technology. People involved in the SMS should have the appropriate skills and experience for their jobs. It is important to do an initial assessment of the competences needed for different job roles that support the SMS and the services, so that people working in these roles can be appropriately trained. This assessment should be repeated regularly to ensure that possible changes in the SMS and the services are reflected in the competences of the people supporting them. This applies to all roles, including service desk agents, team leaders, managers, process owners, analysts, etc. One of the most important information resources is knowledge, consisting of both documented information, such as the documentation discussed in Chapter 5 of this book or other documents not required by the standard that are still needed to run the SMS and the services, and institutional knowledge, which mostly exists in people's heads. ISO/IEC 20000 requires documented information to be managed and knowledge to be made available to all interested parties that need it. It therefore makes sense to set up a knowledge management system (which is a technological resource), that can range from a simple shared drive or cloud-based file sharing platform to extensive 55 commercial knowledge management platforms. What is important is that the knowledge management system is appropriate for the organization and can be accessed by all stake- holders who need it — employees, suppliers, and in some cases customers. What should not be forgotten is that the SMS does not exist in isolation from the rest of the company. In many cases, the scope of the SMS is limited to the part of a company that actually provides the services. There are, however, many other parts of the company that contribute to the service provider: for example, human resources, finance, sales, facilities and other teams will all contribute directly or indirectly to the SMS and are as such considered stakeholders. All these teams have their own business processes that influence what the SMS can or should look like. Part of the planning is therefore assessing what business processes have already been established that the SMS should align with and support. Sales will have specific targets for selling the services; therefore, the SMS and its processes should support them in doing so. Finance has their budgeting and accounting methodologies that will influence the way in which the SMS and the services are financially supported. Facilities provide a work environment that determines the way in which staff can operate to support the SMS and the services, while HR obviously has an influence on the human resources who are working to provide this support. These departments form bi-directional relationships, where the SMS is influenced by the business pro cesses and vice versa. They need alignment to be able to support each other. 6.1.2 Planning processes The process-side of planning the SMS consists of a number of different aspects. To start, governance is required to run the processes in an integrated manner. Governance here means that responsibilities are established and the processes themselves interact in an effective way. This can be ensured by the process owners using the three activities of Governance of IT from ISO/IEC 38500: Evaluate, Direct and Monitor. Through monitoring of the process outputs, these results can be evaluated, and management can direct the organization to improve the processes where required. 56 Responsibilities for processes are often allocated to a role called process owner or process manager. This role is responsible and/or accountable for the proper running of the process. It is all about leading the planning and documentation, making sure the process operates properly, and that the process is improved when required. Depending on the scope, a process owner can own multiple related processes. They regularly report on the performance of their processes to top management. Processes in the SMS need to interact so that they support the services: incident management and problem management are closely related and need to exchange information. Change management interacts with a range of other processes, such as configuration management, business relationship management and service level management. As indicated in Chapter 5 of this book, a system diagram can visualize the interaction of all these processes. More importantly, when processes are properly documented, the interaction with other processes should be made clear, for example, what outputs of this process serve as inputs to others? What inputs does this process require from other processes? These interactions should also be made clear to the staff working with these processes: the quality of their work not only determines the success of their own area, but also has an influence on other processes and eventually on the SMS, the services and the business outcomes. This is part of the communication that needs to take place and the awareness that needs to be created among the staff. A service desk agent needs to identify how the information they receive from the customer about, for example, a service request should be registered in order for the request to be implemented. The possible information security impact of the request should be understood before it is fulfilled. Agreed service levels for the request need to be verified in order to set the right expectations with the customer. Planning and designing the actual processes can start from using existing ones, even if nothing is documented as yet. Take these and determine, based on the service requirements and other inputs, what would need to be changed in order for these processes to be optimized. Consult various stakeholders who operate the process, or are otherwise involved, to gather their input and form agreements with them. If possible, try out the new processes in a small- 57 scale pilot environment to see if they perform as expected. If so, use the guidance in Chapter 5 of this book to document them and roll them out in the rest of the organization. Make sure that the processes can be measured: the standard requires you to establish performance criteria for the processes and control them, meaning that you should be able to measure the performance of your processes and determine their effectiveness. These performance criteria can be determined based on the service requirements, the service management policy and the service management plan. 6.1.3 Planning working with other parties Many services nowadays are based on components or processes provided by other suppliers. Think of an application service hosted on a third-party cloud platform; a transport service using planning software supplied by another software company; or simply the electronic payments done in any retail service, supplied by financial service providers. ISO/IEC 20000-1 has a significant focus on the use of suppliers in the SMS. A distinction is made between internal suppliers, customers acting as suppliers and external suppliers, with each having an impact on the level of control you need to exert on them. In all cases, it is you as the main service provider who remains accountable for the quality of the services, the value generated by them and the effectiveness of the SMS as a whole, even if all of these are areas where both suppliers and customers have specific responsibilities as well. Planning to work with suppliers involves clarifying who provides what service component or runs what process; how these components or processes interact with the rest of the SMS and the services; and what service targets apply to service components or processes provided by other parties. This should all be contractually agreed in the case of external providers, because these are usually commercial agreements. In the case of internal suppliers, who are part of the same company that provides the services, or in the case of customers also acting as suppliers, with whom there is already a contract, using any agreement is sufficient. The agreed service targets with customers are inputs for determining the service targets with suppliers. Say you provide an internet access service for which you agree that incidents will be resolved within four hours. If you have outsourced your technical field service to an external provider, you need to agree targets for fixing the parts under their responsibility that are clearly 58 under four hours, otherwise you run the risk of exceeding the customer's SIA. Suppliers should be held accountable for meeting their part of the service targets. ISO/IEC 20000-1 explicitly states that the service provider may not use suppliers to provide all services: you need to do something yourself, otherwise it is hard to show that you actually control any part of the service you provide to your customers. ISO/IEC 20000-3 discusses the use of suppliers in greater detail, using various simple and complex examples. 6.2 OPERATING Once the planning phase has been completed, implementing and operating the SMS and the services should be relatively straightforward. It should be noted that the implementation of a new or changed process can have a significant impact on the organization. This impact can range from updating documentation to making people aware of the new process; or up- dating systems or informing customers and other stakeholders about the im- pact of the change on their side. There are several Organizational Change Management methodologies (OCM, not to be confused with the operational change management process) that can be helpful here. For instance, John P. Kotter's enhanced eight-step change process is well-known. What is important for organizational change is to make sure that everyone involved understands the reasons behind it and the impact on their own role and activities. Top management should clearly support the change and communicate about it. Communication is generally an important part of ISO/IEC 20000, encouraged o take place at all levels in the organization, starting with top management. It makes sense to create a communication plan listing all opportunities for communication about the SMS and the services. This plan can contain items such as team meetings, operational reviews, town hall meetings, formal presentations, email and face-to-face communication, etc. Make sure there is ample opportunity for interaction, since effective communication has to involve an exchange of perspectives, it is always a dialogue. When operating the SMS and the services, there should be a continual focus on the effectiveness of the activities and the value generated by the services. At a process-level, this means that you should observe and measure the 59 effective- ness of the processes and flag any issues that need to be improved. In almost every process area in Clause 8 of ISO/IEC 20000-1, there is a requirement regularly to verify if the objectives are still being met. This may involve verifying the accuracy of configuration information (configuration management), measuring satisfaction with the services (business relationship management), monitoring actual costs against the budget (budgeting and accounting for services), and monitoring capacity usage (capacity management), to name but a few. This not only needs to be carried out for individual processes, but also for the overall interaction and governance. The system map of the interaction of processes should be revisited regularly, particularly after changes have been made to individual processes, to ensure that the output of one process is still adequate to serve as the input for another. Roles and responsibilities may also have to change when the processes themselves change. For example, the automation of part of an incident management process may bring with it IT technical requirements for the process owner's role that go beyond the skills of the person currently appointed. Apart from operating the processes, there is also the aspect of operating the rest of the SMS. This includes making sure that the necessary resources are still available to support the SMS: are there enough staff to support the SMS and the services? Are staff sufficiently competent? Sometimes new staff are hired to replace people leaving the company and these new appointees need to go through an extensive training program to be able to perform their tasks. This can leave a gap of sometimes several weeks during which human resources are at a low level, which may in turn impact the effectiveness of the SMS and the quality of the services. Similarly, changes to services may lead to changes in job descriptions and the required skills. These changes may trigger educational needs for existing staff or hiring needs to augment staff with skilled specialists. All these aspects need continuous monitoring and improvement as and when necessary. Everything that was originally planned for the establishment of the SMS and the services will, at some point in time, no longer be adequate, given that service requirements, the marketplace and customer expectations change. The continuous cycle of monitoring this adequacy during the operation of the SMS and the services includes reviewing the service management policy, objectives and plan. These should, therefore, be reviewed with some regularity 60 by top management, updated and communicated where necessary. Opportunities to do so exist at the beginning of the year, when organizational performance targets are usually set, but also during management reviews, after major incidents or after meeting important customers. This also applies to the alignment of the SMS with the business processes and outcomes as discussed under the planning section. This alignment has two perspectives: the business perspective and the SMS and service perspective. Changes on one side may require re- evaluation and re-alignment on the other. The business may want to change the nature of the services it provides to its customers, which has an obvious major impact on the SMS and the services. On the other hand, changes made in, for example, staffing levels or service levels for the SMS and the services may impact the business and re-alignment may be required there. In the list of process areas in Clause 8 of the standard, there is a large area relating to major changes made to the services: Design and transition of new and changed services. This process area had a complete clause of its own in the 2011 edition of ISO/IEC 20000-1 but has now found a place among the other service management processes. However, this does not mean it is regarded as any less important. Changes that have a major impact on customers or other services, the introduction of new, or removal or, transfers of services, and any other major changes all have a specific set of requirements in the standard that indicate they require specific attention. A more project-based approach is required for these, which includes: gathering requirements from customers, suppliers and other stakeholders; coming up with a proper service design based on these requirements; undertaking a risk assessment on the impact of these major changes to other services; determining the resource requirements and other impact on all aspects of the SMS; and establishing the impact on customers and other interested parties. These are in fact aspects of planning, design, transition, evaluation and improvement in this process area, so the complete Deming Cycle applies. 61 6.3 EVALUATING Evaluation of the SMS and the services is mostly addressed in Clause 9 of the standard and consists of three elements: reporting, management review and internal audit. Reporting includes activities to monitor, analyse and evaluate the SMS and the services. Many clauses of ISO/IEC 20000-1 explicitly mention that reports should be created, performance analysed, or effectiveness evaluated. Much of this can be done with the help of commercial service management platforms that gather the data on incidents, changes and service requests, and can create default graphs regarding volumes, timeliness, quality and other performance aspects. The output of such systems is necessarily limited though and may have to be augmented with data you gather elsewhere, or combined with data from other systems. For example, data from a capacity management system may have to be combined with data from a configuration management system to produce meaningful results of capacity usage for specific service components. As mentioned before, process performance should be measured, analysed and reported on, which may be challenging depending on the design of your processes. It is, therefore, important to consider measurement and reporting aspects in the planning phase of your processes and build the steps to measure process performance from the outset. Lean's value stream mapping is a powerful approach to do this, because it explicitly outlines what steps introduce delays or what are unnecessary steps in the process. Reports are most powerful when presented in a graphical way, because this is usually much easier to understand than extensive tables or words. A graph or image, however, needs to be meaningful and appropriate to convey the message the report wishes to give. You also need to consider the audience for the report: a report about service performance aimed at top management needs to be much more generic than that aimed at staff running the processes. Similarly, a report for a customer or supplier may not contain information that is considered confidential by the service provider. Risks should be reported on in various areas: these include risks to the SMS in general, to service availability and continuity, to information security, risks around service requirements, and risks regarding the use of suppliers, to name a few. These can be established in an integrated way if this is practical. Not all 62 stakeholders need to be made aware of all of the risks: operational risks may be treated by individual teams and may only need to be escalated to management or top management if their support or visibility of the risk is required. This layered approach to risk management and risk reporting makes sure that risks are dealt with at the appropriate level in the organization. The management review (also called management system review, MSR) is an opportunity to have a discussion with top management about the state of the SMS and the services. There are a significant number of topics that the standard requires you to cover in this review. service performance, changes to the SMS, opportunities for improvement, resource needs, etc. It is very much dependent on the organization and how often such reviews are held. Sometimes this can be an annual review, whilst at other times it happens quarterly. There are also organizations that integrate these reviews into their operational meetings, so that topics of the management review simply refer to discussions that were held in previews meetings. The importance of the management review is that top management is continually kept informed about the SMS and the services and can make any necessary decisions based on that information. It is also an opportunity for them to express their opinion and provide direction to the organization. Even if you don't use ISO/IEC 20000 to become certified through an external audit, you are still required to have an internal audit program. This program can be set up in various ways: it often takes just a sample of the SMS, simply because evaluating all aspects of it can be very time-consuming. Within a certain period, however, all aspects of the SMS should be audited, either through a single, large audit, or via a series of smaller ones. The internal auditor needs to be independent of the organization that is being audited, otherwise there may be conflicts of interest, since the auditor needs to be able to take a neutral position in order to evaluate the SMS. Results of the audits serve as input to the management review. 6.4 IMPROVING The final phase of the Deming Cycle, before you return to the beginning, is Act, which involves improving the SMS and the services based on various sources of input. You should already have your measurements relating to process performance and the effectiveness of the SMS and the services, as described in the previous section. Feedback from customer satisfaction 63 surveys, employee satisfaction surveys and other stakeholder surveys will help deter- mine more areas that may have to be improved. A way to generate opportunities from the teams involved in supporting the SMS and the services is to regularly ask them what issues arise while doing their jobs. These discussions can often result in actionable improvement opportunities. Finally, the risk management process will certainly generate actions that need to be taken to address specific risks. All this feedback should be fed into a continual improvement process that evaluates, prioritizes, and executes these improvement opportunities. Continual improvement can be set up using a number of simple tools: for example, a Kanban-board listing opportunities in their various stages - To-do, In Progress, and Completed; or a simple spreadsheet with a list of improvement opportunities which you can prioritize and allocate to people to work on; or even a commercial platform that allows you to do the same things in an electronic or cloud-based way. The point is that improvement opportunities should be registered, prioritized, allocated to the right people to execute and then tracked to completion. A separate category of improvements mentioned in the standard is non- conformities. These are aspects of the SMS that do not conform to the requirements in ISO/IEC 20000-1. These may come up during internal or external audits, or during the operation of the SMS. Nonconformities need to be corrected as soon as possible if you want to conform to the standard and this is achieved using the continual improvement process as described above. Nonconformities are items that need to be discussed in management reviews, as described in the previous section, and will therefore receive top management attention. To close off non-conformities, the effectiveness of measures taken to deal with them needs to be verified, so that you can be sure these non-conformities will not reoccur. Even though this step of improving might seem to be the final one, it actually leads towards starting the Deming Cycle all over again: improvements that need to be made to the SMS and services will in many cases mean a return to the planning stage, which is needed to coordinate the implementation of the improvements in such a way that the SMS and the services are not negatively impacted. In this way, the circle is closed and the process of planning, 64 implementing, operating, evaluating and improving the SMS and the services is itself a process of continual learning and development. 7. Certification Most organizations will want to implement the requirements of ISO/IEC 20000-1 to primarily improve their existing service management practices, with the aim of: Creating greater efficiency internally; Reducing costs (and becoming more profitable, if your organization is a for-profit one); Improving service quality; Increasing customer satisfaction through enhancing the value they experience from your services. If, however, you want to demonstrate externally that this is in fact the case and that you conform to all the requirements in ISO/IEC 20000-1, then you will need to go through a certification process with an external audit. An audit is an assessment of conformance with the requirements of the standard or, as it states, for "an organization to demonstrate its capability for the planning, design, transition, delivery and improvement of service". It is therefore an opportunity for you to show off how well you are running your SMS. This requires a certain amount of documented information, as required by the standard (see chapter 5 of this book), together with a level of confidence and knowledge inside the organization to be able to communicate this to the auditor. The main points to keep in mind when opting for an external audit to gain certification are: Make sure you don't polish up your ways of working just for the audit show the day-to-day way of working of your SMS instead; See an audit as a learning experience: it is not a sign of failure when you get feedback from the auditor that something does not meet the requirements; rather it is an opportunity for you to improve your SMS; Do make people aware that the audit is taking place and make sure they can talk with the auditor if required. The basic requirements to get certified are as follows: 65

ISO/IEC 20000-1 PDF - Service Management System Requirements

Document Details

Tags

Related

Summary

Full Transcript