ISO 20000

1. Introduction
2. Overview
3. Global adoption
4. Benefits
5. Auditing
6. Choosing a registrar
7. Route to registration
8. Costs
9. Contributing editor

ISO 20000 is the first international standard for Information Technology Service Management and is fully compatible and supportive of the ITIL (IT Infrastructure Library) framework. ISO/IEC 20000-1:2011 specifies four key service management processes broken into 13 IT processes (See reference diagram below), as follows:

1. Service Delivery Processes – includes Service Level Management, Availability Management, and Capacity Management
2. Relationship Processes – involves interfaces between the service provider and customers and suppliers
3. Resolution Processes – focuses on incidents being resolved or prevented
4. Control Processes – involves managing changes, assets, and configurations

ISO/IEC 20000-1 requires all processes to be implemented without exception.

The standard specifies a number of closely related service management processes that help organizations;

• Identify that relationships exist between these processes, and that these relationships will be dependent on their application within an organization
• Provides guideline objectives and controls to enable an organization to deliver managed services
• Provides control, greater efficiency, and opportunities for improvement
• Turns technology focused departments into service focused departments
• Ensures IT services are aligned with and satisfy business needs
• Improves system reliability and availability
• Provides a basis for service level agreements
• Provides the ability to measure IT service quality

High Level breakdown of ISO/IEC 20000-1:2005

History of the standard

• The U.K. government launched the IT Infrastructure Library (ITIL) in 1989
• ITIL defines “best practice” processes and procedures
• ITSMF formed in 1991 to further develop best practice
• ITSMF approaches BSI to develop a standard
• BS 15000 first published in 2000 as a specification
• BS 15000 revised in 2002
• ISO/IEC 20000 released in 2005
• ISO/IEC TR 20000-3:2009 Guidance on Scope Definition and applicability released in 2009 (TR – Technical Report)
• ISO/IEC TR 20000-4:2010 Process Reference Model released in 2010 (TR – Technical Report)
• ISO/IEC TR 20000-5:20101 Exemplar implementation plan for ISO/IEC 20000-1 released in 2010 (TR – Technical Report)
• ITSMF ISO/IEC20000 Scheme transferred to APMG 2010
• ISO 20000-1:2011 published April 2011

ISO 20000 Series of Standards

ISO/IEC 20000-1:2011 Service Management System Requirements

ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfill agreed service requirements. ISO/IEC 20000-1:2011 can be used by:

• an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;
• an organization that requires a consistent approach by all its service providers, including those in a supply chain;
• a service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfill service requirements;
• a service provider to monitor, measure and review its service management processes and services;
• a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;
• an assessor or auditor as the criteria for a conformity assessment of a service provider's SMS to the requirements in ISO/IEC 20000-1:2011.

ISO/IEC 20000-1:2011 promotes the adoption of an integrated process approach to effectively deliver managed services to meet business and customer requirements. For an organization to function effectively it has to identify and manage numerous linked activities. Co-ordinated integration and implementation of the service management processes provides ongoing control, greater efficiency and opportunities for continual improvement.

The ISO/IEC 20000 series draws a distinction between the best practices of processes, which are independent of organizational form or size and organizational names and structures. The ISO/IEC 20000 series applies to both large and small service providers, and the requirements for best practice service management processes are independent of the service provider's organizational form. These service management processes deliver the best possible service to meet a customer's business needs within agreed resource levels, i.e. service that is professional, cost-effective and with risks which are understood and managed.

ISO/IEC 20000-2:2005 Code of Practice

ISO/IEC 20000-2:2005 represents an industry consensus on guidance to auditors and offers assistance to service providers planning service improvements or to be audited against ISO/IEC 20000-1. ISO/IEC 20000-2:2005 is based on BS 15000-2, which has been superseded.

The variety of terms used for the same process, and between processes and functional groups (and job titles) can make the subject of service management confusing to the new manager. Understanding the terminology is a tangible and significant benefit from ISO/IEC 20000.

ISO/IEC TR 20000-3:2009 – Technical Report Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1

ISO/IEC TR 20000-3:2009 provides guidance on scope definition, applicability and demonstration of conformance for service providers aiming to meet the requirements of ISO/IEC 20000-1, or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It can also assist service providers who are considering using ISO/IEC 20000-1 for implementing a service management system (SMS) and who need specific advice on whether ISO/IEC 20000-1 is applicable to their circumstances and how to define the scope of their SMS.

ISO/IEC TR 20000-3:2009 supplements the advice in ISO/IEC 20000-2, which provides generic guidelines for implementing an SMS in accordance with ISO/IEC 20000-1.

ISO/IEC TR 20000-4:2010 – Technical Report Part 4: Process reference model

The purpose of ISO/IEC TR 20000-4:2010 is to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability.

The process reference model provided in ISO/IEC TR 20000-4:2010 is a logical representation of the elements of the processes within service management that can be performed at a basic level. Using the reference model in a practical application might require additional elements suited to the environment and circumstances.

The process reference model does not provide the evidence required by ISO/IEC 20000-1. The process reference model does not specify the interfaces between the processes.

ISO/IEC TR 20000-5:2010 Exemplar implementation plan for ISO/IEC 20000-1

ISO/IEC TR 20000-5:2010 is an exemplar implementation plan providing guidance to service providers on how to implement a service management system to fulfil the requirements of ISO/IEC 20000-1 or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It could also be useful for those advising service providers on how to best achieve the requirements of ISO/IEC 20000-1.

ISO/IEC TR 20000-5:2010 includes advice for service providers on a suitable order in which to plan and implement improvements. It is suggested that a generic three-phase approach is used to implement a service management system. The phased approach provides a structured framework to prioritize and manage the implementation activities.

ISO/IEC TR 20000-5:2010 is for guidance only. The service provider has the option of choosing their own implementation sequence to implement a service management system.

ISO/IEC 20000 is currently being adopted worldwide. Organizations have realized that an organizational certification is proof that best practices are in place and that a continual improvement program and internal audits/assessments support the implementation. This is also verified by the certification body performing annual surveillance audits.

The advent of ITIL implementations has secured ISO 20000 position as the premier ITSM (IT Service Management) certification for organizations. Prior to ISO 20000, organizations were at the mercy of ITIL practitioners to implement ITIL services that could not be certified. ISO 20000 now provides organizations with a proven ability to audit implementation and accredit (certify) their implementation based on an agreed scope. ISO 20000 also helped organizations understand and conduct risk assessments which improved organization performance and understanding.

Currently there is no ISO published survey results for ISO 20000 implementations. Suffice to say, the United States is seeing Federal requirements, requesting proven certification for new or renewed IT contracts.

• Provides a way to align information technology services with business strategies.
• Creation of a formal framework service management and service improvement.
• Provides KPI measurement criteria.
• Creates competitive advantage via the promotion of consistent and cost-effective services.
• Changes an IT driven culture into a business driven culture.
• Provides management a clear view of inter-dependencies across IT and the ISO 20000 processes.
• Promotes risk assessment and risk management.
• Enhanced reputation and perception for using best practices.
• IT becomes pro-active rather than re-active.
• Improved understanding and relationships between IT and the business/customers.
• Creation of a stable framework for both resource training and service management automation.

The ISO/IEC 20000 Standard require a two stage auditing methodology in that the organisation is required to carry out internal audits as well as having the discipline of external auditors from the certifying body carry out their own audits.

Internal Audits

Staff from your organisation can be trained to carry out audits through formal courses which are often 3-5 days in length or they can be trained in-house with the use of ‘mentors’ who will guide them through the training process.  Whichever route is chosen, the external auditor will be ensuring the internal audits are carried out in a competent manner.  Staff will not be able to carry out audits on their own work so a minimum of two internal auditors should be planned.  Staff will often volunteer to be an internal auditor for various reasons but being inquisitive about how the rest of the Company operates, can be high on the list.  It is often better to have a motivated volunteer than someone who has been detailed to be an internal auditor.  In some cases, consultants can be employed to carry out these audits but the cost, long term, can be high. The internal audits will need to be carried out on the full ITSM Management System.  However, depending on the importance of certain areas, or the weakness of certain processes, this can be varied to suit.  The internal audit process should ensure that the organisation is working to established processes and to ensure that any improvements are noted and captured within the management system.  Non conformances can be a useful source of continual improvement, not a cause for starting the ‘blame game’.

External Audits

These will be carried out by the certifying body who will provide auditors experienced in the area that your organisation is working in.  External auditors in the ITSM field will be expected to have significant relevant experience ref ISO/IEC 17021:2006 Conformity assessment — Requirements for bodies providing audit and certification of management systems. The better certifying bodies will expect their auditors to be on the International Register of Certified Auditors (IRCA) or RABQSA equivalent.

There are approximately 1,000 certification bodies globally so it is important to select an approved certification body that is relevant to the industry sector you are operating in.  Also, it is important to ensure the certification body provides certification services for IT standards including ISO/IEC 20000:2005. Not all certification bodies offer support in this standard so please ensure they have an appropriate track record and qualified auditors. When selecting a certification body or registrar:

• Ensure the company is conforms to the requirements of ISO/IEC 17021:2006, and the certification body accreditation is issued by a recognised competent body.
• You have received quotations from several certification bodies so can compare pricing and requirements.
• Ask for auditor resumes to ensure they have a track record auditing the standard and have worked with the standard in business. Experience is of paramount importance, you may wish to ask questions and receiving the right answer is a must.
• Ensure the certification body is recognised by your customers and has the relevant sector experience for your industry.

1. Pre-audit Assessment
   • Check documentation with auditor
     The auditor will review your documentation to ensure that all documented procedures cover the requirements of ISO 20000-1:2005.
   • Determine date of assessment
     With your auditor you will determine the best timetable for your registration and agree on a date for the 1st and 2nd stage initial assessments. Many organizations benefit from the pre-assessment "dry run" of the formal assessment.
2. Initial Assessment conducted (1st Stage)
   A 1st stage initial assessment will be conducted by your external auditor. This will cover the basic documentation and your prepared state for the 2nd stage audit. You will be informed of his recommendation at the closing meeting.
3. Initial Assessment conducted (2nd Stage)
   During the 2nd stage audit, your nominated auditor will perform a full audit of your management system against the requirements of ISO 20000-1:2005. The combination of the 1st and 2nd stage audits will result in a recommendation from the lead auditor at the end of the audit.
4. Registration Confirmation
   Following your auditors recommendation, your registration will be confirmed by the technical reviewers.
5. Certificate Issued
   Your certificate of registration will arrive soon after your registration has been confirmed.
6. Continued Assessment
   After registration your nominated auditor will visit your organization every 6 months or annually to ensure that your management system continues to meet the requirements of ISO/IEC 20000-1:2005. The number of days required for the Continued Assessment will depend on the number of staff within the scope of registration.
7. Reassessment
   Your registrar is required to perform a reassessment of your management system every 3 years. This is approximately 2/3 of the initial assessment duration at the end of the closing meeting your auditor will confirm the outcome if you are successful.

Internal Costs

No matter which route is taken to achieve certification some time and effort is required by the organisation which will equate to some costs.  The implementation of the ITSM standard is not a painless exercise!  If a do-it-yourself approach is taken then a project leader will need to be nominated who may spend a good portion of his time ensuring the work required is being carried out. 

Consultancy Costs

The complexity of the ISO/IES 20000 standard means there are a number of pitfalls for the do-it-yourself organisation. A consultant, with years of experience in both auditing other IT  management systems, and installing systems for organisations, knows exactly what is required and the organisation will not be re-inventing the wheel. ISO/IEC 20000 has a number of connection points across the 13 processes which need in-depth understanding when confronted by the auditors, failure to understand these can mean the difference between passing the audit and failing the audit.

Certification Costs

The costs of registration are dependent on the size of your organization. Most registrars charge a certain rate per day to be on-site at your facility. This day rate will vary depending on your country and will be quoted at the time of request.

To maintain your certification, the certifying body must return periodically i.e. 6 months, or annually to audit a portion of your system, this is called a surveillance audit. These audits last for the duration of the certification (normally three (3) years).

 

Steve Crutchley

Steve is the CEO of Consult2Comply and has in excess of 40 years’ experience in IT, much of this spent working internationally in the USA, Europe, South Africa and the Middle East. Steve is an approved instructor and implementer for ISO/IEC 20000, ISO/IEC 27001 and BS 25999, also a content expert related to regulations, standards and best practices. As a practitioner, Steve regularly undertakes assignments supporting Compliance and privacy initiatives for clients worldwide. To date Steve has helped 7 organizations align and certify to ISO/IEC 20000 and in excess of 20 organisations certify to ISO/IEC 27001.

With more than 20 years’ experience in business protection, combined with an extensive knowledge of the industrial, commercial, government and financial areas, Steve has dedicated his skills over this time to be highly focused on risk, governance, compliance, information security and information assurance. Steve’s intuitive skill is to provide management with tools and techniques that enable them understand the intricacies in an area where competence and expertise is in short supply worldwide.

Steve has held senior positions in government, corporate and private businesses for many years and has a solid track record of prior achievements. In a sector where the noise is mixed and confusing, Steve is able to help organizations navigate through the business protection (security), compliance and national and international privacy maze to assist them in the selection and delivery of the processes and solutions that will mitigate risk and support corporate governance. Steve has significant skill in various standards and control structures including, but not limited to: ISO 27001, ISO 20000, BS 25999, ISO 38500, COBIT, ISF, NIST, COSO, GAPP, GLBA, HIPAA, NERC and PCI. Steve has deep international expertise, a key differentiator in the GRC and compliance industry today.