iso/iec20000!! overview!and!! cer2ﬁcaon!approach!

ISO/IEC20000 Overview and

Cer2fica2on Approach

Agenda 1.  ISO20000 Overview 2.  Associated Standards and Frameworks 3.  ISO20000 and ITIL 4.  Cer2fica2on Approach (Phase1)

•  Service Management Maturity

5.  Cer2fica2on Approach (Phase2) •  Scoping Statement

6.  Conclusion

© IG Service Consul2ng Nov 2012 Slide 2

ISO20000 Overview •  Standard for IT Service Management •  IT Service Management as an integrated business func2on •  Overall goals for IT Service Management

Ø  Customer focussed Ø  Integra7on of Processes Ø  End-‐to-‐end Service Management Ø  Con7nual Service Improvement

•  Requires IT Service Management to be a value add element of the business


ISO20000 Overview •  Around 700 Cer2ficated organisa2ons worldwide (Nov 2012) •  Range of organisa2on types •  Only 50 UK based •  Cer2fica2on is gained by mee2ng criteria set out within the

standard to a defined and agreed scoping statement •  The scoping statement refers to the whole, or to a part of IT

Service Management defined by: Ø  Customers Ø  Services Ø  Geography Ø Organisa7onal Units


Associated Standards and Frameworks


eTOM



ISO9001

ISO27001

BS25999 COBIT

ITIL ISO20000


•  ISO20000 draws on elements required by other cer2fica2ons Ø Management Systems Ø  Process defini7ons Ø  Roles and Responsibili7es Ø  Documents and Records

•  Uses the ITIL Framework as a basis for process requirements •  Other cer2fica2ons do not map exactly, but do accelerate

cer2fica2ons Ø  Business Con7nuity -‐ BS25999 Ø  Informa7on Security -‐ ISO27001 Ø Quality Management -‐ ISO9001


ISO20000 Standard

and ITIL Service Management Framework


ISO20000 History Date Standard or Framework

1996 ITIL V1

2000-‐2001 ITIL V2

Nov 2000 BS15000

Dec 2005 ISO20000

May 2007 ITIL V3

Apr 2011 ISO20000

July 2011 ITIL V3 (2011)


ISO20000 History •  ISO20000:2005 was somewhat aligned to ITIL V2 •  ISO20000:2011 provides a closer alignment to ITIL V3

Ø  Service Management System is covered within Service Strategy Ø  Business Rela7onship Management is now also explicit in Service

Strategy Ø  Planning and Implemen7ng is directly linked to Con7nual Service

Improvement and Service Transi7on Ø  Planning New Services links to Service Strategy


ISO20000-‐1:2005


ISO20000-‐1:2011


Service Management System

Design and Transition of New and Changed Services

Service Delivery Processes

Relationship Processes Business Relationship Management

Supplier Management

Resolution Processes Incident Management and Service Request

Management

Problem Management

Control Processes Configuration Management

Change Management Release and Deployment

Management

Capacity Management

Service Continuity & Availability Management

Information Security Management

Budgeting and Accounting

for IT Services

Service Level Management

Service Reporting

Management Responsibility Governance of Processes Operated by other par7es Establish SMS Documenta7on Management

Resource Management

ISO20000 and ITIL


ISO20000 and ITIL •  Despite some differences, the ITIL framework is the pladorm

from which to target ISO20000 cer2fica2on •  ITIL advocates:

Ø Management System Ø  Defini7on of policies, processes and procedures Ø  Process and service ownership, roles and responsibili7es Ø  The integra7on of Service Management processes Ø  A common Service Management language Ø Measurement and Con7nual Service Improvement

•  Provides recognised industry standard training and educa2on


ISO2000 to ITIL Mapping ISO20000 ITIL V2 ITIL V3 Requirements for a Management System Service Strategy

ITIL Update 2011 includes a Service Management System

Planning and Implemen7ng Service Management

Planning to Implement Service Management

Con7nual Service Improvement Con2nual Service Improvement

Planning and Implemen7ng New or Changed Services

Service Strategy Service Pordolio Management

Rela7onship Processes Business Rela2onship Management Supplier Management

The Business Perspec8ve Service Opera7on, Service Design Supplier Management Service Desk

Service Delivery Processes Service Level Management Service Repor2ng Budge2ng and Accoun2ng for IT Services Service Con2nuity and Availability Management Capacity Management Informa2on Security Management

Service Delivery Service Level Management Financial Management for IT Services IT Service Con2nuity Management Availability Management Capacity Management Security Management (Demand is implied in Capacity Management)

Service Strategy, Service Design, CSI Service Level Management Service Repor2ng Financial Management IT Service Con2nuity Management Availability Management Capacity Management Informa2on Security Management Demand Management


ISO2000 to ITIL Mapping ISO20000 ITIL V2 ITIL V3 Resolu7on Processes Incident Management Problem Management

Service Support Incident Management Service Desk Problem Management

Service Opera7on Incident Management Request Fulfilment Service Desk Problem Management

Control Processes Configura2on Management Change Management

Service Support Configura2on Management Change Management Service Desk

Service Transi7on, Service Opera7on Service Asset and Configura2on Management Change Management Service Desk Transi2on Planning and Support Service Valida2on and Tes2ng Evalua2on

Release Processes Release Management

Service Support Release Management

Service Transi7on Release and Deployment Management Transi2on Planning and Support

Out of ISO20000 Scope ICT Infrastructure Management Applica8ons Management

Out of ISO20000 Scope Service Transi7on, Service Opera7on Access Management Event Management IT Opera2ons Knowledge Management Monitoring and Control


ISO20000 Cer2fica2on

Phase 1


Planning and Prepara2on


Stage 6 Sign-‐off

Stage 1 ISO20000 Drivers

Stage 3 Evidence Review

Stage 2 Evidence Gathering

Stage 4 Assessment

Stage 5 Repor2ng/Business

Case IT Service Management Capability

ISO20000 Cer2fica2on Drivers •  Sales Revenues •  Market Opportuni2es •  Speed to Market •  Speed to introduce new services •  Service Improvements •  Service Cost Reduc2ons •  Service Quality •  Regulatory Requirements


Understand the Specifica2on •  Gain a solid understanding of the specifica2on

Ø Now consists of 8 parts!! Ø  Get assistance where appropriate Ø  ISO20000 training courses

•  All processes MUST be evidenced to gain cer2fica2on Ø  13 defined processes Ø  Plus Management System, CSI and New Service Planning

•  There are +170 ‘shalls’ to consider Ø  By contrast ISO9001 has 130 ‘shalls’


Understand the Code of Prac2ce •  Significant number of ‘should’ statements

Ø Most are ‘shalls’ by implica7on

•  Example – Incident Management Ø  The Specifica7on make a single reference to ‘resolving’ incidents.

The CoP specifically makes specific reference -‐ “concerned with the restora7on of service not determining the cause of the Incident”

Ø  There is a single statement rela7ng to Major Incident in the Specifica7on and a significantly more in the CoP

•  CoP focuses on the integra2on of processes and the roles and responsibili2es Ø  ITIL is much more explicit regarding process integra7on


Evidence Gathering •  Determine what evidence to gather

Ø Use ITIL manuals in conjunc7on with the standard

•  Determine the level of evidence to gather Ø May be easier to take everything at this stage

•  Ensure there is an understanding of a document and a record Ø  Document – evidence of inten7ons Ø  Record – evidence of ac7vi7es/outcomes

•  Determine who you need to involve Ø  It may be necessary to approach suppliers/customers


Evidence Gathering

•  Collate all documenta2on and records rela2ng to IT Service Management


Ø ‘Strategy’ Ø Service Plans Ø Policies Ø Client Reports Ø Processes Ø Audit Results Ø Procedures Ø Roles and Responsibili7es Ø Service Catalogue Ø Training Records Ø Organisa7onal Structures Ø Agreements and Contracts Ø Improvement Plan Ø Common Terms and Language Ø Service Review Minutes Ø Outage Reports

Evidence Review •  Review in accordance with the Standard and the Specifica2on •  Immediate high level view of non-‐conformi2es

Ø  Processes not in evidence Ø No process owner Ø No contract/agreement in place Ø  Etc.

•  Review provides a sound basis for ques2oning and improving the Assessment outcomes

•  Determine a level of acceptable quality


Assessment •  Process Owner Interviews •  Draw conclusions on gaps between documented evidence

and actual opera2ons •  Ajend opera2onal mee2ngs (CABs, ‘Morning Prayers’) •  Review quality and consistency of documents and records •  From a documentary point of view

Ø  Is the evidence Documented? Ø  Is the evidence Communicated appropriately? Ø  Is the evidence being Used ? Ø  Is the evidence being Reviewed for being ‘fit for purpose’? Ø  Is the evidence being Improved where necessary?


Assessment •  The Assessment should also consider

Ø  Toolsets Ø  Services and process are entrusted to appropriately qualified staff Ø  Ac7vi7es are linked Ø  Considera7ons of Business and Customer requirements Ø Management direc7on Ø  Con7nual Service Improvement


IT Service Management Maturity •  Assessment of Service Management Capability

Ø  Service Management Maturity Assessments (various) Ø  BIP0015 – IT Service Management Self Assessment Workbook:2011 Ø  COBIT


Adhoc/ Chao7c

Repeatable

Defined & Documented

Measured & Managed

Op7mised

Level 1 Level 2 Level 3 Level 4 Level 5

• Undocumented • Unpredictable • Adhoc •  Very reac2ve •  SLAs not followed •  Few measures

•  Repeated service process •  Some records and documents •  Some measures •  Some SLAs met

• Defined services • Documents and records • Mostly measured • Most SLAs met

•  Service Catalogue • Documents and records •  Proac2ve •  SLAs guaranteed •  Service costs known •  Integrated processes

•  IT as a strategic partner •  IT and business collabora2on •  IT within business planning •  Con2nual Service Improvement

IT Service Management Maturity •  What Service Management processes are in opera2on? •  How is it structured? •  Does it meet customer needs? •  What documenta2on exists? •  What records exist? •  What is the gap between the documented approach and

actual delivery? •  Qualified staff (technical, ITIL, ISO20000) •  Is there an Improvement Plan •  What level of maturity is evident? © IG Service Consul2ng Nov 2012 Slide 28

Business Case


Opera7onal Benefits Process Integra2on Efficiency and Effec2veness Maturity Improvement Improved Rela2onships

Management Benefits Defining Areas for Improvement

Accuracy of Measurement Clarity of Target Senng Realised Cost Savings

Business Benefits Customer Alignment Customer Sa2sfac2on Business Alignment Strategic Alignment

Sales Benefits Increased Opportuni2es Reduced Compe22on

Speed and Accuracy of Responses Marke2ng

Business Case

Cer2fica2on Timescales •  Cer2fica2on 2mescales are rela2ve to:

Ø  Scope – Number of Services, Loca7ons, Teams Ø  Size – Number of Staff/Partners/Suppliers Ø  Complexity and Cri7cality – Detail and Interdependencies Ø  Skills and Experience – Internal and External Par7es Ø  Current Capability – Maturity Level Ø  Exis7ng Cer7fica7ons – Experience of Management Systems

•  Possible 2melines Ø  2 to 3 months to get to Assessment/Business Case Ø  ? months to Cer7fica7on readiness Ø  3 months of evidence is required to show processes and records

capture are embedded


Cer2fica2on Costs •  Budge2ng for cer2fica2on should consider the following:

Ø  Consultancy Ø  Training Ø  Process Improvement Ø  Tools Ø  Project Management Ø  Cer7fica7on Ø  Timescales


ISO20000 Cer2fica2on

Phase 2


Define Scoping Statement

Analysis and Alignment

Engage Registered Cer2fica2on Body

Pre-‐Assessment Audit

Cer2fica2on Audit Success

Define Project

Route to Cer2fica2on


Cer2fica2on Project Planning


People Who to involve

Processes Defined by the Standard

Products Toolset requirements The Services Service Level Agreements

Partners Suppliers Contracts Customers

Engage RCB •  There are no conflicts in using previously used RCBs •  There may be benefits in using previously instructed RCBs in

rela2on to: Ø  ISO9001 Ø  ISO27001 Ø  BS25999

•  5 UK based RCBs Ø  BSI Ø  DNV Ø  Lloyds Ø  ISOQAR Ø  SGS


Scope Statements •  Define the scope with your RCB •  Scoping Statement includes:

Ø  The Customers Ø  The Services Ø  The Loca7ons Ø  The Organisa7onal Units

•  Scoping Statement will have suppor2ng detail •  Where feasible build in possible/probable service

adjustments Ø  Specify services set out in the Service Catalogue instead of specific

lis7ng of services Ø  Customers encapsulated by a specific contract type


Scoping Statements Example Scoping Statements Thales Informa7on Systems Ltd The Scope of the cer7fica7on is: The IT Service Management System that supports the provision of managed IT services for internal and external customers as specified in contract schedules. The Loca7on covered by the cer7fica7on is: MontBajen House, Basing View, Basingstoke, RG21 4HJ, United Kingdom. BT Ireland The Scope of the cer7fica7on is: The IT Service Management System that covers the provision, support and management of the Wide Area Network, Contact Centre and Voice Services to the Bank of Ireland within the technical and organisa2onal boundaries of BT Ireland and in accordance with the contract schedules. The Loca7on covered by the cer7fica7on is: Grand Canal Plaza, Upper Grand Canal Street, Dublin 4, Eire.


Analysis and Alignment •  Standard requires robust processes and systems with a level

of maturity Ø  Processes and systems should be in place for a reasonable period (3

months) prior to cer7fica7on audit

•  Capture ‘gaps’ and set out a plan •  Document management is required •  Communica2on and awareness


Cer2fica2on Process •  Time to complete the cer2fica2on audit is dependent on

scope Ø  Scale Ø  Services Ø  Loca7ons

•  5 months would be the minimum •  Once cer2fied

Ø  Surveillance Audits at least every 12 months Ø  Recer7fica7on every 3 years


Conclusion


ISO20000 •  MUST comply with all aspects of the standard and

specifica2on Ø  13 Processes Ø  3 Management and Planning systems

•  Should show at least 3 months of opera2on using the standard

•  Audit will want to see at least 1 improvement plan Ø  A ‘quick win’ series of improvements is beneficial


Approach Review •  2 Phase approach •  Phase 1

Ø  Build case for ISO20000 cer7fica7on and communicate inten7on Ø  Define current state of IT Service Management Ø  Consider likely Scoping Statement

•  Phase 2 Ø  Define Scoping Statement Ø  Assess, design, build, test, embed processes and systems Ø  Cer7fy and maintain


Approach Review


Define Scoping Statement

Analysis and Alignment

Engage Registered Cer2fica2on Body

Pre-‐Assessment Audit

Cer2fica2on Audit Success

Define Project

Use the Frameworks •  Use the Frameworks

Ø  ITIL forms the basis of ISO20000 Ø  eTOM is equally aligned Ø  ITIL defines a common Service Management language Ø  ITIL training will provide ‘correct ability staff’ Ø  Service Management Maturity Assessments are mature processes

and can assist Ø  BIP0015 is directly linked to ISO20000 Ø  COBIT is also appropriate and links to maturity


Ques2ons and Answers
