Académique Documents
Professionnel Documents
Culture Documents
Appendix A - Type of assessment and audits and their outcomes ............................................10 Appendix B - Complementary standards and best practices .....................................................12 Bibliography ..............................................................................................................................14
Copyright BCS 2012 Page 1 of 14 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Change History
Version Number and Date Version 2.3 September 2013 Version 2.2 April 2012 Version 2.1 Version 2.0 Changes Made
Further amendments to incorporate changes from ISO/IEC20000 New version to incorporate changes from IS)/IEC 20000-1:2005 to 2011, second edition Re-formatted based on new branding guidelines no change to technical content.
Page 2 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Introduction
This qualification covers the knowledge required to gain an understanding of the content and requirements of the international standard, ISO/IEC 20000, service management system requirements. It covers the certification requirements of ISO/IEC 20000-1:2011 and how the guidance in ISO/IEC 20000-2:2012 can be adopted by an organisation to deliver effective managed services and continually improve those services. The qualification is aimed at staff in internal and external service provider organisations who require knowledge and understanding of the ISO/IEC 20000 standard and its content. It will provide: IT managers, service owners, process owners and other service management staff with an awareness of and familiarity with the ISO/IEC 20000 standard Individuals with the necessary knowledge to assess the relevance and importance of the ISO/IEC 20000 standard to the service management activities within their own organisation Managers and team leaders with a knowledge of a typical ISO/IEC 20000 service management system Internal auditors, process owners, process reviewers and assessors with a good knowledge of the ISO/IEC 20000 standard, its contents and justification of the need for internal reviews, assessments and audits Evidence that delegates have achieved a foundation level of knowledge of the ISO/IEC 20000 standard This qualification does not provide the advanced level of knowledge for external auditors, consultants or those responsible for managing implementation of the standard in a service provider organisation.
Learning Objectives
Holders of the BCS ISO/IEC 20000 Foundation Certificate will be able to demonstrate their competence in, and their ability to: Describe the scope, intent and use of the ISO/IEC 20000 series, specifically Parts 1, 2, 3 and 5. The key terms and definitions Explain their understanding of the integrated approach to establishing and maintaining a service management systems (SMS) and processes that conform with ISO/IEC 20000-1 (Part 1) certification. Describe the application of ISO/IEC 20000 and scope definition parameters for achieving certification. Understand and describe the requirements of the SMS and the approach to a continual improvement cycle, (Plan- Do- Check- Act methodology) Understand and describe the intent and requirements of each clause of the ISO/IEC 20000 -1 (Part 1) requirements standard. Recognise and describe the need to: - plan and implement IT service management processes; - report on the services and major metrics of the service management processes; - schedule and conduct regular reviews, assessments and audits; - plan for continual service improvement Plan and prepare for an ISO/IEC 2000-1 (Part 1) audit. Explain the purpose of assessments, reviews, internal and external audits of an SMS and how they are used. Understand accreditation and certification schemes for ISO/IEC 2000-1 (Part 1); Explain the relationship with linked ISO standards and ITIL1 best practices.
Page 3 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Entry Criteria
To be entered for the ISO/IEC 20000 examination candidates must demonstrate at least two year's IT service management experience or hold the IT Service Management Foundation certificate.
Page 4 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Additional Time for Candidates who require Reasonable Adjustments due to a temporary or permanent disability
Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.
Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). The candidate registration form asks for the candidates business language, if this is not English then BCS will automatically allocate additional time.
Page 5 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Syllabus
1. ISO/IEC 20000 Scope, Purpose and Use (20%) Understand the principles of the multi-part ISO/IEC 20000 standard and be able to describe its scope, purpose and use. On completion of the course the candidate should be able to describe: The scope, purpose and use of key documents that comprise ISO/IEC 20000: Part 1: Service management system requirements; Part 2: Guidance on the application of service management systems; Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1; Part 5: Exemplar implementation plan for ISO/IEC 20000-1
The purpose and use of ISO/IEC 20000-1 described in the Introduction and Scope, including Application (of ISO/IEC 20000). The purpose and use of guidance documents such as ISO/IEC 20000-2 and the use of shall, should, may and can statements. The principles of a service management system including the need for: - defining the scope of the service management system; - basing the overall quality management system on a structured hierarchy of policy, process and procedures, plans; - the role of the top management and management representative, including a process owner; - focusing on quality, measurement and improvement driven by business and customer requirements; - taking an end to end service approach; - management responsibility and control; - good customer relationships; - demonstrating governance of processes and control of other parties; - recognition of the contribution of personnel The relationships and differences between ISO/IEC 20000-1 (Part 1) and ITIL (see Appendix B). How ISO/IEC 20000 relates to other standards and best practice approaches that are commonly used in an organisation, such as ISO 9001, ISO/IEC 27001.ISO/IEC 38500 and COBIT1 (see Appendix B) Terms and definitions within ISO/ IEC 20000-1 (Part 1) Accreditation and certification schemes including the role of ISO/IEC 17021:2011 (see Appendix A and B). Certification bodies
COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute.
Page 6 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
2.
ISO/IEC 20000 Service Management System General Requirements (10%) Understand the principles and processes for service management and the requirements of the overall management system. On completion of the course the candidate should be able to describe the requirements of a management system including: The scope of the service management system and the parameters required for a definition of scope. The requirements and responsibilities of management, including top management Governance of processes operated by other parties. The documentation requirements including the mandatory documents and records and the role of document and knowledge management in achieving the requirement. The requirements for resource management, including staff education, training, skills and experience. The requirements for establishing and maintaining the SMS
3.
ISO/IEC 20000 Service Management Process Requirements (40%) Understand the intent of the requirements and the requirements of the ISO/IEC 20000 service management processes. [Note: The intent of each process is based on ISO/IEC 20000-2:2012.] On completion of the course the candidate should be able to describe: The intent and requirements for the design and transition of new or changed services (3%). The intent and requirements of the service delivery processes (15%): - service reporting; - service continuity and availability management; - budgeting and accounting for services; - capacity management; - information security management. The intent requirements of the relationship processes (5%): - business relationship management; - supplier management. The intent and requirements of the resolution processes (5%): - incident management; - problem management. The intent and requirements of the control processes (7%): - change management; - configuration management; - release and deployment management. The interfaces between the design and transition of new or changed services and the control processes
Page 7 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
4.
Achieving ISO/IEC 20000 and continual improvement (10%) Understand the approach to establishing and maintaining the SMS to ensure the required processes are effectively implemented, services are continually improved and the requirements of the ISO/IEC 20000-1 standard are met. On completion of the course the candidate should be able to describe the requirements for service management including: Applicability, scope definition and scope statements: - scope definition requirements for parameters; - scope statements for certificates; - the requirements of Part 1 and guidance of Part 3 for scope definition and the structure of a scope statement; - The guidance and requirements for application, applicability and scope definition and there use in certification (ISO/IEC 20000-1:2011, Clauses 1.2 and 4.5.1, ISO/IEC TR 20000-32, Clauses 4, 5, 6, Annexes A and B). The plan-do-check-act methodology and its application to service management, processes and the services. The typical inputs and outputs to be managed. Defining the scope of the SMS. The requirements for planning service management and the SMS. The requirements to implement and operate service management and provide the services. The requirements for monitoring, measuring, reviewing and auditing. The requirements for continual improvement
5.
ISO/IEC 200000-1 Review, Assessment and Audit Activities (20%) Understand the types of review, assessment and audit of a service management system, including service management, and the use of supporting systems, tools and techniques that enable an organisation to plan and conduct reviews, assessments and internal audits of service management systems. Appendix A contains the types of assessmen, audits and their outcomes that can be topics on an examination paper, On completion of the course the candidate should be able to describe the following: The types of evidence required to demonstrate conformity to ISO/IEC 20000-1. The types of reviews, assessments and audits required by the standard. The techniques and approaches that can be used for conducting reviews, assessment and audits, such as audit and self-assessment checklists. The implication of ISO/IEC 17021:2011 for audit practices. How to prepare for: - reviews; - assessments; - internal audits. What is involved in an external audit: - the steps involved in external certification; - the benefits of external certification; - how to prepare for an external audit; - the certification process for certification under ISO/IEC 20000-1, including full audits and surveillance audits; - what to expect in an audit and how to manage audit observations and nonconformities (major and minor).
Page 8 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
6.
This syllabus has an accompanying examination at which the candidate must achieve to be awarded the BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Type Duration 40 Question Multiple Choice 1 Hour - An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their mother tongue, and where the language of the exam is not their primary business language, Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). To be entered for the ISO/IEC 20000 examination candidates must demonstrate at least two year's IT service management experience or hold the IT Service Management Foundation Certificate. Yes No 26/40 N/A Paper based examination only.
Pre-Requisites
To align with ISO/IEC 20000, the examination uses lower case including all references to ISO/IEC 20000 processes, defined terms and proper nouns. Upper case is used only for Clause (when referring to a specific numbered clause), International Standard, Part (when referring to a specific numbered part of ISO/IEC 20000). The examination uses the verbal forms that are defined in the ISO/IEC Directives Part 2 (Annex H) and the ISO/IEC 20000 series, as follows: "Shall" is "must do". Shall statements are those which are audited for certification or 3 conformity . For example, The service provider shall measure customer satisfaction at planned intervals.. Should is used for guidance to recommend the preferred option for fulfilling a 4 requirement , in Parts 2 5. Equivalent expressions are it is recommended that or ought to. Can means be able to, there is a possibility of or it is possible to. May is used to signify permission expressed in the document. Equivalent expressions are: is permitted or is allowed or is permissible.
3
'Shall' is used for a requirement strictly to be followed to conform, with no deviation permitted. 'Should indicates that one among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or with should not (the negative form) a possibility or course of action is deprecated but not prohibited.
Page 9 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
First party audit / Conducted by the service providers own resources, or external consultants selfacting on their behalf. An internal audit for ISO/IEC 20000-1 should meet the assessment requirements of Part 1, Clause 4.5.4.2. A "self-assessment" can be conducted the service providers personnel used to monitor and analyse a process and provide feedback to management on the effectiveness of the process and the benefits of any improvement. Second party Audit by a person or organisation that has a user interest in the service audit provider e.g. customer Third party audit Audit by a conformity assessment organisation usually referred to as a certification body. They are independent of and have no user interest in the service providers organisation.
Page 10 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Typical outcomes of an assessment or audit by external and internal auditors are shown below. Using the terms from ISO/IEC 17021, Clause 9, a nonconformity is a non-fulfilment of a requirement (in Part 1). Examples are given below. Type of Description outcome Nonconformity - A failure to fulfil one or more requirements of major ISO/IEC 20000-1 or a situation that raises significant doubt about the ability of the SMS to achieve its intended outputs. Examples
A whole process is missing, such as a service management process not performed, i.e. a significant requirement is not fulfilled by the SMS. Nonconformity All other nonconformities that are not major. For A correction is planned for a minor example a few defective records. Any failure to failure to agree the service fulfil a significant requirement where there is an continuity plan with the agreed plan for correction and corrective action customer. for the nonconformities, even if that nonconformity is major. Opportunity for A feature of the SMS where action does not Examples of opportunities for improvement need to be taken. Opportunities for improvement improvement can be slow (sometimes must not be used instead of a nonconformity. In implementation of agreed 'observation'). some assessments 'observations' are used to improvements or service note an unusually good feature of the SMS. levels that compare badly to industry benchmarks, even if the service targets are met. Observations can be fast and low risk turn-round of change requests, services that are exceptionally good value to the customerOut of scope An aspect that is not in scope of the standard The procurement process. and does not need to be audited.
Page 11 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Focus
Applicable to all organisations and is therefore more widely applicable than ISO/IEC 20000-1 and ISO/IEC 27001. It can address all working practices in the whole of an organisation.
Covers the requirements and information security management controls for an organisations information security management system that can have a different scope to the service management system in ISO/IEC 200001.
Usage
Many service providers achieve certification to both ISO/IEC 20000-1 and ISO/IEC 27001.
Management Yes, they are all management system standards. Although the management system systems are different there is overlap in general management system standard requirements and in some service management processes, including information security management. All three use the Plan-Do-Check-Act methodology. Conformity assessment and certification ISO/IEC 17021 applies to audits under each of these standards. Note ISO/IEC 17021, Clauses 9.1.1.2 and 9.3.2.2 and Annex E a) The certificate normally lasts 3 years before a full re-audit. However, certification can be suspended and then lost after a surveillance audit which is done at least once a year. Before the three years between full audits there might need to be a complete re-audit, if the service providers circumstances change or there is a major change to the SMS or service. b) ISO/IEC 17021, Clause 9.1.1.2 states: "The audit programme shall include a two-stage initial audit, surveillance audits in the first and second years, and a recertification audit in the third year prior to expiration of certification. The threeyear certification cycle begins with the certification or recertification decision. c) ISO/IEC 17021, Clause 9.3.2.2 states: "Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit following initial certification shall not be more than 12 months from the last day of the stage 2 audit."
Page 12 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Aspect Purpose
ISO/IEC 20000-1 A requirements standard that can be used for a conformity assessment of an organisation's service management system (SMS). To be certified a service provider must fulfil all requirements of the standard. Clause 4 contains general requirements for a service management system, including the service management processes Uses the Plan-Do-Check-Act methodology (Deming cycle) as the basis of a continual improvement cycle
ITIL A set of best practice guidelines that includes advice on how to do service management. ITIL is NOT suitable for a conformity assessment for an organisation or its service management system (SMS). Contains references to ISO/IEC 20000 and the service management system. ITIL practices can be used to achieve the general SMS requirements in ISO/IEC 20000-1, Clause 4. The ITIL Continual Service Improvement publication includes the 7-step improvement process that is mapped to the Plan-Do-Check-Act methodology.
Management system
Plan-DoCheck-Act methodology
Governance of IT ISO/IEC20000-1 does not specify requirements for the governance IT. It only includes requirements for the governance of processes operated by other parties. ISO/IEC38500 is a guidance standard for corporate governance of IT. The purpose of the standard is to promote effective, efficient, and acceptable and lower risk use of IT in all organisations by: assuring stakeholders that, if the guidance in the standard is followed, they can have confidence in the organisations corporate governance of IT; informing and guiding directors in governing the use of IT in their organisation; providing a basis for objective evaluation of the corporate governance of IT. The Control Objectives for Information and related Technology (COBIT5) is a governance and control framework for IT management. It was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT draws from the expertise of associations members, industry experts, control and security professionals. It provides an objective and practical resource for executive management, business management, IT management and auditors. Software asset management ISO/IEC20000-1 includes requirements for managing software assets in several clauses. The ISO/IEC19770 series can be used for the management, control and protection of software assets, licences and to manage the risks arising from their use.
COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute.
Page 13 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office
Bibliography
1. ISO/IEC 20000-1:2011, Information technology Service management Service management system requirements 2. ISO/IEC 20000-1:2005, Information technology Service management Code of practice 3. ISO/IEC 20000-2:2012, Information technology Service management Guidance on the application of service management systems 4. ISO/IEC TR 20000-3:2009 , Information technology Service management Guidance on scope definition and applicability of Part 1 5. ISO/IEC TR 20000-4:2010 , Information technology Service management Process reference model for IT service management 6. ISO/IEC TR 20000-5:2009 Information technology Service management Exemplar implementation plan for ISO/IEC 20000-1 7. ISO 9000:2005, Quality management systems Fundamentals and vocabulary (some ISO/IEC 20000 terms are aligned with 9000) 8. ISO9001:2008, Quality management systems Requirements 9. ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements 10. ISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit and certification of management systems 11. ISO/IEC Directives, Part 2: 2011, Rules for the structure and drafting of International Standards Edition 6.0 12. ISO/IEC 19770:2006, Information technology Software asset management Part 1 Processes 13. ISO/IEC 38500:2009, Corporate governance of information technology 14. Cabinet Office (2011). ITIL Service Strategy. TSO, London. 15. Cabinet Office (2011). ITIL Service Design. TSO, London. 16. Cabinet Office (2011). ITIL Service Transition. TSO, London. 17. Cabinet Office (2011). ITIL Service Operation. TSO, London. 18. Cabinet Office (2011). ITIL Continual Service Improvement. TSO, London.
2, 2 2
Page 14 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office