quint lead auditor - exercises and answer - print one site

Group Assignment 3 - Gap Analysis report

There are various quality related issues the IT management of ElectricWorks at hand is struggling with and it is under pressure from senior business managers to clear up their act or face wide scale outsourcing. The IT manager wants to improve the quality of service delivery issues by implementing ISO/IEC 20000 to show senior business management that there is no need to outsource them.

The management team is very positive about your knowledge about ISO/IEC 20000 and has asked if you can come up with a structure for a gap analysis report that will identify the gaps between the current and required maturity to pass an ISO/IEC 20000 audit by an RCB.

Give a brief outline of the structure of your proposed report, with examples of content.

Preparation: 20 minutes preparation for the presentationPresentation: Maximum 10 minutes (presentation and discussion)Target audience: IT management team ElectricWorks

Quint Wellington Redwood 2006 ISO/IEC 20000 Case Material – Auditor course

Context

Objective

Report back

Time allowed

Answer key – Group assignment 3 - Gap Analysis report

]Gap analysis Report

Name Client

Version :Author :Date :


Table of Contents0. DOCUMENT HISTORY.........................................................................................3

1. MANAGEMENT SUMMARY AND CONCLUSIONS.............................................3

2. INTRODUCTION...................................................................................................32.1. INTRODUCTION................................................................................................32.2. OBJECTIVES....................................................................................................32.3. SCOPE............................................................................................................32.4. APPROACH......................................................................................................3

3. GAP ANALYSIS...................................................................................................33.1. REQUIREMENTS FOR A MANAGEMENT SYSTEM...................................................3

3.1.1. Management responsibility....................................................................33.1.2. Documentation requirements.................................................................33.1.3. Competence, awareness and training...................................................3

3.2. PLANNING AND IMPLEMENTING SERVICE MANAGEMENT......................................33.2.1. Plan service management (Plan)...........................................................33.2.2. Implement service management and provide the service (Do)..............33.2.3. Monitoring, measuring and reviewing (Check).......................................33.2.4. Continual improvement (Act).................................................................3

3.3. PLANNING AND IMPLEMENTING NEW OR CHANGED SERVICES..............................33.4. SERVICE DELIVERY PROCESSES.......................................................................3

3.4.1. Service Level Management...................................................................3PROCESS SCOPE.........................................................................................................3ACTIVITIES.................................................................................................................. 3

3.4.2. Service Reporting..................................................................................33.4.3. Service Continuity and Availability management...................................33.4.4. Budgeting and Accounting for IT services.............................................33.4.5. Capacity Management...........................................................................33.4.6. Information Security Management.........................................................3

3.5. RELATIONSHIP PROCESSES..............................................................................33.5.1. Business relationship management.......................................................33.5.2. Supplier management............................................................................3

3.6. RESOLUTION PROCESSES................................................................................33.6.1. Incident Management............................................................................33.6.2. Problem Management...........................................................................3

3.7. CONTROL PROCESSES.....................................................................................33.7.1. Configuration Management...................................................................33.7.2. Change Management............................................................................3

3.8. RELEASE PROCESSES......................................................................................33.8.1. Release Management............................................................................3

4. CONCLUSIONS....................................................................................................34.1. NON CONFORMANCIES.....................................................................................34.2. OBSERVATIONS / AREAS FOR IMPROVEMENT.....................................................34.3. POTENTIAL RISKS............................................................................................3

5. RECOMMENDATIONS.........................................................................................3

APPENDIX A - GLOSSARY.........................................................................................3

Appendix B - list of interviews.......................................................................................3


Document History

Version Date Comment, Status


Management Summary and conclusions


Introduction

Introduction

Name Client is aiming for ISO/IEC 20000 certification. With this certification Name Client wants to expand its market share and create additional business opportunities for its existing set of services.

This report is the result of a gap analysis that was conducted for Name Client and provides Name Client with information regarding the gap between current and desired maturity level based on the ISO/IEC 20000-1.

Objectives

The objective of the gap analysis is to: Assess how the IT service management processes of Name Client compare with those

described in ISO/IEC20000-1; Identify any gaps between the current practises of Name Client and the requirements of

ISO/IEC20000-1; A list of recommendations and potential risks. Recommend a series of practical steps for improving any shortfalls identified by the gap

analysis

Optional: A high level plan of approach to implement the recommendations. A clear path /next steps towards achieving ISO/IEC20000 certification

Scope

The focus of this gap analysis is on The IT Service Management System that covers the provision of service X with that’s provided from location A and location B of Name Client.

Approach

The following approach was conducted. In the appendix list of persons interviewed is included.

nr Steps Aim, results1 Preparation by reading provided

materialBeing effective from the first day we start at Name Client

2 Kick off session Meeting with sponsor and other key stakeholders. Getting the scope, attention points and key targets of assessment clear

3 Interviews with line managers and process managers

Getting insight in the effectiveness of the processes

4 Interviews with process involved (key) employees

Get insight in the maturity and improvement potential of all individual processes.

5 Writing the preliminary report Write, based on the outcomes of the interviews a preliminary report.

6 Present preliminary results Present the preliminary results to the key stakeholders, Quint Wellington Redwood 2006 ISO/IEC 20000 Case Material – Auditor course

nr Steps Aim, resultsproviding the opportunity to include the feedback in the final report.

7 Perform some additional inquiries/ interviews

If necessary some additional inquiries may be necessary to solve any gaps in the information already available.

8 Write final report Write, based on the outcomes of the presentation and additional information the final report.

9 Present final report Present the final report to the key stakeholders.


Gap analysis

Each principle question is provided with a “reference” field. This is designed to record cross reference information to support the answer given.

References are: Procedures which address the question and indicate compliance Information on the project, team or individual currently working ons process improvement

(especially for “in progress” answers) The chapter and section numbers of appropriate instructions within quality manuals or

procedures The name of job title of the person responsible (e.g. the process owner) Memos, e-mails etc, addressing the issue.

All the questions permit one of four answers Yes No In Progress (Prog) Not Applicable (N/A)

Also per requirement it shows explicitly the section of ISO/IEC 20000-1 addressed by each question. The first column shows where a question directly relates to a clause or subclause within ISO/IEC 20000-1. Where an ordinal number is given this is the relevant paragraph within the stated clause or subclause.


Requirements for a management system

Management responsibility

ISO20000 Yes No Pro N/A

Remark

a) Do service management plans define:

1) the scope of service management within the organization? 4.1 a)

2) the processes to be executed? 4.1 c)

3) the framework of management roles and responsibilities, including process owners? 4.1 d)

4) the objectives and requirements to be achieved? 4.1 b)

5) the interfaces between service management processes and how activities are to be co-ordinated? 4.1 e)

6) an approach to identifying, assessing and managing issues and risks to achieving the defined objectives? 4.1 f)

7) an approach to interfacing with projects delivering new, or modifying existing, services? 4.1 g)

8) required budget, facilities and other resources? 4.1 h)

9) provide an approach to managing, auditing and continuously improving the quality of service management? 4.1 j)

10) define key roles and responsibilities within the service management team?

11) where appropriate, address the use of third-party suppliers within the service? 4.1 d)

Reference:

b) Are all specific process plans compatible with the service management plan? 4.1, 3rd

Reference:

Documentation requirements

…..

Competence, awareness and training

…..


Planning and implementing service management

Plan service management (Plan)…..

Implement service management and provide the service (Do)…..

Monitoring, measuring and reviewing (Check)…..

Continual improvement (Act)

…..

Planning and implementing new or changed services

…..

Service Delivery processes

Service Level Management

Process overview

ISO20000 Yes No Pro N/A Remarks

a) Is each service defined, agreed and documented in at least one SLA? 6.1, 1st

Reference:

b) Have SLAs been documented and agreed with all relevant parties? 3.2 b); 6.1, 1st

Reference:

c) Are there formal agreements, agreed by all parties, for all services that support SLAs and are supplied from outside the service provider’s management control?

6.1, 1st


ISO20000 Yes No Pro N/A Remarks

Reference:

d) Are there documented agreements, agreed by all parties, for all services that support SLAs and are provided internally within the organization?

6.1, 1st

Reference:

Process scopeISO20000 Ye

s No Pro N/A Remark

a) Is there a service catalogue showing the full range of IT services available to customers? 6.1, 1st

Reference:

b) Have all parties concerned agreed the content of the service catalogue? 6.1, 1st

Reference:

c) Have all underpinning support services relevant to SLAs been identified? 6.1, 1st

Reference:

ActivitiesISO20000 Ye

s No Pro N/A Remark

a) Do all relevant parties agree and record underpinning operational service objectives and corresponding procedures? 6.1, 1st

Reference:

b) Is there agreement on the service level targets and expected service workload characteristics? 6.1, 1st

Reference:

c) Do all formal agreements:

1) describe the service to be provided in terms of the business requirements?

2) reflect the potential need for changes to the service, workload or service levels by including a mechanism for changing the agreements?


ISO20000 Yes No Pro N/A Remark

Reference:

d) Does the SLM process consider the costs of delivering the service and business justification of those costs?

Reference:

e) Is there co-ordination with other service management support functions, including third-party suppliers?

Reference:

f) Is there a procedure for the agreement of temporary variations to the service?

Reference:

g) Are SLAs signed by senior customer and service provider representatives?

Reference:

h) Are all services covered by SLAs also covered by formal change control procedures?

Reference:

i) Are the targets against which the delivered service is measured expressed in terms of the customer’s business?

Reference:

j) Is there a manageable set of targets within the SLAs?

Reference:

k) Are OLAs and underpinning contracts regularly reviewed and renegotiated as part of significant change control?

Reference:

l) Are the reasons for non-conformance to targets:

1) reported? 6.1, 4th

2) reviewed? 6.1, 4th

3) inputs to the service improvement plan? 6.1, 4th



Reference:

Control, reporting and auditing


a) Are there at least annual reports on the Service Improvement Programme targets and the results produced and are these made available as appropriate?

Reference:

b) Is there monitoring and reporting, current and trend information on:

1) the service levels achieved? 6.1, 4th

2) the resources used?

3) the cost of the service?

Reference:

c) Are SLAs under change control? 6.1, 2nd

Reference:

d) Are all service levels measurable?

Reference:

e) Is there agreed responsibility for every measurement referred to?

Reference:

f) Are reports on reviews and audits considered at Service Level Agreement review meetings?

Reference:

Service Reporting…..


Service Continuity and Availability management…..

Budgeting and Accounting for IT services…..

Capacity Management…..

Information Security Management…..

Relationship Processes

Business relationship management…..

Supplier management…..

Resolution Processes

Incident Management…..

Problem Management…..

Control Processes

Configuration Management…..

Change Management…..

Release processes

Release Management…..


Conclusions

Non conformances

[describe non conformances against ISO/IEC 20000-1]

Observations / Areas for improvement

[describe the areas of improvements you have found]

Potential risks

[describe potential risks you have found]


Recommendations

[Recommend a series of practical steps for improving any shortfalls identified by the gap analysis]

Optional: A high level plan of approach to implement the recommendations. A clear path /next steps towards achieving ISO/IEC20000 certification


Appendix A - Glossary

In this report the following terms and definition are used including it’s explanation:

Appendix B - list of interviews

The information in this report is based on interviews with the following people:

Name Persons


quint lead auditor - exercises and answer - print one site

Documents