BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus

Version 2.3 September 2012

BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus

Contents
Change History ...........................................................................................................................2 Introduction .................................................................................................................................3 Learning Objectives ....................................................................................................................3 Entry Criteria...............................................................................................................................4 Format and Duration of the Examination.....................................................................................4 Notice to Training Providers........................................................................................................4 Syllabus ......................................................................................................................................6 1. 2. 3. 4. 5. 6. ISO/IEC 20000 Scope, Purpose and Use (20%) ................................................................6 ISO/IEC 20000 Service Management System General Requirements (10%) .....................7 ISO/IEC 20000 Service Management Process Requirements (40%)..................................7 Achieving ISO/IEC 20000 and continual improvement (10%) .............................................8 ISO/IEC 200000-1 Review, Assessment and Audit Activities (20%) ...................................8 Format of the Examination .................................................................................................9

Appendix A - Type of assessment and audits and their outcomes ............................................10 Appendix B - Complementary standards and best practices .....................................................12 Bibliography ..............................................................................................................................14

Copyright BCS 2012 Page 1 of 14 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Change History
Version Number and Date Version 2.3 September 2013 Version 2.2 April 2012 Version 2.1 Version 2.0 Changes Made

Updated the Reasonable Adjustments

Further amendments to incorporate changes from ISO/IEC20000 New version to incorporate changes from IS)/IEC 20000-1:2005 to 2011, second edition Re-formatted based on new branding guidelines no change to technical content.

Page 2 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Introduction
This qualification covers the knowledge required to gain an understanding of the content and requirements of the international standard, ISO/IEC 20000, service management system requirements. It covers the certification requirements of ISO/IEC 20000-1:2011 and how the guidance in ISO/IEC 20000-2:2012 can be adopted by an organisation to deliver effective managed services and continually improve those services. The qualification is aimed at staff in internal and external service provider organisations who require knowledge and understanding of the ISO/IEC 20000 standard and its content. It will provide: IT managers, service owners, process owners and other service management staff with an awareness of and familiarity with the ISO/IEC 20000 standard Individuals with the necessary knowledge to assess the relevance and importance of the ISO/IEC 20000 standard to the service management activities within their own organisation Managers and team leaders with a knowledge of a typical ISO/IEC 20000 service management system Internal auditors, process owners, process reviewers and assessors with a good knowledge of the ISO/IEC 20000 standard, its contents and justification of the need for internal reviews, assessments and audits Evidence that delegates have achieved a foundation level of knowledge of the ISO/IEC 20000 standard This qualification does not provide the advanced level of knowledge for external auditors, consultants or those responsible for managing implementation of the standard in a service provider organisation.

Learning Objectives
Holders of the BCS ISO/IEC 20000 Foundation Certificate will be able to demonstrate their competence in, and their ability to: Describe the scope, intent and use of the ISO/IEC 20000 series, specifically Parts 1, 2, 3 and 5. The key terms and definitions Explain their understanding of the integrated approach to establishing and maintaining a service management systems (SMS) and processes that conform with ISO/IEC 20000-1 (Part 1) certification. Describe the application of ISO/IEC 20000 and scope definition parameters for achieving certification. Understand and describe the requirements of the SMS and the approach to a continual improvement cycle, (Plan- Do- Check- Act methodology) Understand and describe the intent and requirements of each clause of the ISO/IEC 20000 -1 (Part 1) requirements standard. Recognise and describe the need to: - plan and implement IT service management processes; - report on the services and major metrics of the service management processes; - schedule and conduct regular reviews, assessments and audits; - plan for continual service improvement Plan and prepare for an ISO/IEC 2000-1 (Part 1) audit. Explain the purpose of assessments, reviews, internal and external audits of an SMS and how they are used. Understand accreditation and certification schemes for ISO/IEC 2000-1 (Part 1); Explain the relationship with linked ISO standards and ITIL1 best practices.
Page 3 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Entry Criteria
To be entered for the ISO/IEC 20000 examination candidates must demonstrate at least two year's IT service management experience or hold the IT Service Management Foundation certificate.

Format and Duration of the Examination

The examination is a one hour closed book examination (no materials can be taken into the examination room) and will consist of 40 scenario-based multiple choice questions. The pass mark is 26/40.

Notice to Training Providers

Each major subject heading in this syllabus is assigned an allocated time. The purpose of this is two-fold: first, to give both guidance on the relative proportion of time to be allocated to each section of an accredited course and an approximate minimum time for the teaching of each section; second, to guide the proportion of questions in the exam. Training Providers may spend more time than is indicated and candidates may spend more time again in reading and research. The total time specified is 18 hours of lecture and practical work. Courses do not have to follow the same order as the syllabus. Courses may be run as a single module or broken down into two or three smaller modules. The Foundation examinations examination will be based on the syllabus in this document. Examination questions may be drawn from all areas of the syllabus and coverage given can be expected to be in proportion to the amount of time allocated to that topic in the syllabus. Answers to examination questions may require the use of material based on more that one section of this syllabus, all sections of the syllabus are examinable. The syllabus contains references to established standards. The use of referenced standards in the preparation of training material is mandatory. Each standard used must be the version quoted in the current version of this syllabus. Appendix A and B provide related information that can be used as the basis for an examination question. This syllabus is structured into sections relating to major subject headings and numbered with a single digit section number. Each section is allocated a minimum contact time for presentation. Learning objectives are identified at the beginning of each section. The K level for each learning objective is identified at the lowest level of breakdown in the learning objectives list. The breakdown of content matches the structure of the learning objectives, so that the material related to a given learning objective appears in a paragraph bearing the same numerical reference as that of the related learning objective. The content associated with each learning objective may include non-examinable explanatory commentary in italics as well as the examinable content associated with the learning objective.

Page 4 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Additional Time for Candidates who require Reasonable Adjustments due to a temporary or permanent disability
Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply.

Additional Time for Candidates whose business language is not English

An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their mother tongue, and where the language of the exam is not their primary business language,

Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). The candidate registration form asks for the candidates business language, if this is not English then BCS will automatically allocate additional time.

Page 5 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Syllabus
1. ISO/IEC 20000 Scope, Purpose and Use (20%) Understand the principles of the multi-part ISO/IEC 20000 standard and be able to describe its scope, purpose and use. On completion of the course the candidate should be able to describe: The scope, purpose and use of key documents that comprise ISO/IEC 20000: Part 1: Service management system requirements; Part 2: Guidance on the application of service management systems; Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1; Part 5: Exemplar implementation plan for ISO/IEC 20000-1

The purpose and use of ISO/IEC 20000-1 described in the Introduction and Scope, including Application (of ISO/IEC 20000). The purpose and use of guidance documents such as ISO/IEC 20000-2 and the use of shall, should, may and can statements. The principles of a service management system including the need for: - defining the scope of the service management system; - basing the overall quality management system on a structured hierarchy of policy, process and procedures, plans; - the role of the top management and management representative, including a process owner; - focusing on quality, measurement and improvement driven by business and customer requirements; - taking an end to end service approach; - management responsibility and control; - good customer relationships; - demonstrating governance of processes and control of other parties; - recognition of the contribution of personnel The relationships and differences between ISO/IEC 20000-1 (Part 1) and ITIL (see Appendix B). How ISO/IEC 20000 relates to other standards and best practice approaches that are commonly used in an organisation, such as ISO 9001, ISO/IEC 27001.ISO/IEC 38500 and COBIT1 (see Appendix B) Terms and definitions within ISO/ IEC 20000-1 (Part 1) Accreditation and certification schemes including the role of ISO/IEC 17021:2011 (see Appendix A and B). Certification bodies

COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute.
Page 6 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

2.

ISO/IEC 20000 Service Management System General Requirements (10%) Understand the principles and processes for service management and the requirements of the overall management system. On completion of the course the candidate should be able to describe the requirements of a management system including: The scope of the service management system and the parameters required for a definition of scope. The requirements and responsibilities of management, including top management Governance of processes operated by other parties. The documentation requirements including the mandatory documents and records and the role of document and knowledge management in achieving the requirement. The requirements for resource management, including staff education, training, skills and experience. The requirements for establishing and maintaining the SMS

3.

ISO/IEC 20000 Service Management Process Requirements (40%) Understand the intent of the requirements and the requirements of the ISO/IEC 20000 service management processes. [Note: The intent of each process is based on ISO/IEC 20000-2:2012.] On completion of the course the candidate should be able to describe: The intent and requirements for the design and transition of new or changed services (3%). The intent and requirements of the service delivery processes (15%): - service reporting; - service continuity and availability management; - budgeting and accounting for services; - capacity management; - information security management. The intent requirements of the relationship processes (5%): - business relationship management; - supplier management. The intent and requirements of the resolution processes (5%): - incident management; - problem management. The intent and requirements of the control processes (7%): - change management; - configuration management; - release and deployment management. The interfaces between the design and transition of new or changed services and the control processes

Page 7 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

4.

Achieving ISO/IEC 20000 and continual improvement (10%) Understand the approach to establishing and maintaining the SMS to ensure the required processes are effectively implemented, services are continually improved and the requirements of the ISO/IEC 20000-1 standard are met. On completion of the course the candidate should be able to describe the requirements for service management including: Applicability, scope definition and scope statements: - scope definition requirements for parameters; - scope statements for certificates; - the requirements of Part 1 and guidance of Part 3 for scope definition and the structure of a scope statement; - The guidance and requirements for application, applicability and scope definition and there use in certification (ISO/IEC 20000-1:2011, Clauses 1.2 and 4.5.1, ISO/IEC TR 20000-32, Clauses 4, 5, 6, Annexes A and B). The plan-do-check-act methodology and its application to service management, processes and the services. The typical inputs and outputs to be managed. Defining the scope of the SMS. The requirements for planning service management and the SMS. The requirements to implement and operate service management and provide the services. The requirements for monitoring, measuring, reviewing and auditing. The requirements for continual improvement

5.

ISO/IEC 200000-1 Review, Assessment and Audit Activities (20%) Understand the types of review, assessment and audit of a service management system, including service management, and the use of supporting systems, tools and techniques that enable an organisation to plan and conduct reviews, assessments and internal audits of service management systems. Appendix A contains the types of assessmen, audits and their outcomes that can be topics on an examination paper, On completion of the course the candidate should be able to describe the following: The types of evidence required to demonstrate conformity to ISO/IEC 20000-1. The types of reviews, assessments and audits required by the standard. The techniques and approaches that can be used for conducting reviews, assessment and audits, such as audit and self-assessment checklists. The implication of ISO/IEC 17021:2011 for audit practices. How to prepare for: - reviews; - assessments; - internal audits. What is involved in an external audit: - the steps involved in external certification; - the benefits of external certification; - how to prepare for an external audit; - the certification process for certification under ISO/IEC 20000-1, including full audits and surveillance audits; - what to expect in an audit and how to manage audit observations and nonconformities (major and minor).

Under technical revision to become an International Standard re-aligned to ISO/IEC 20000-1:2011.

Page 8 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

6.

Format of the Examination

This syllabus has an accompanying examination at which the candidate must achieve to be awarded the BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Type Duration 40 Question Multiple Choice 1 Hour - An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their mother tongue, and where the language of the exam is not their primary business language, Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). To be entered for the ISO/IEC 20000 examination candidates must demonstrate at least two year's IT service management experience or hold the IT Service Management Foundation Certificate. Yes No 26/40 N/A Paper based examination only.

Pre-Requisites

Supervised/Invigilated Open Book Pass Mark Distinction Mark Delivery

To align with ISO/IEC 20000, the examination uses lower case including all references to ISO/IEC 20000 processes, defined terms and proper nouns. Upper case is used only for Clause (when referring to a specific numbered clause), International Standard, Part (when referring to a specific numbered part of ISO/IEC 20000). The examination uses the verbal forms that are defined in the ISO/IEC Directives Part 2 (Annex H) and the ISO/IEC 20000 series, as follows: "Shall" is "must do". Shall statements are those which are audited for certification or 3 conformity . For example, The service provider shall measure customer satisfaction at planned intervals.. Should is used for guidance to recommend the preferred option for fulfilling a 4 requirement , in Parts 2 5. Equivalent expressions are it is recommended that or ought to. Can means be able to, there is a possibility of or it is possible to. May is used to signify permission expressed in the document. Equivalent expressions are: is permitted or is allowed or is permissible.
3

'Shall' is used for a requirement strictly to be followed to conform, with no deviation permitted. 'Should indicates that one among several possibilities one is recommended as particularly suitable, without mentioning or excluding others, or that a certain course of action is preferred but not necessarily required, or with should not (the negative form) a possibility or course of action is deprecated but not prohibited.

Page 9 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Appendix A - Type of assessment and audits and their outcomes

Type Initial certification audit Re-certification audit Surveillance audit Description of assessment / audit Conducted by an accredited certification body for the first assessment of conformity against ISO/IEC 20000-1. Conducted by a certification body to assess conformity against ISO/IEC 200001 after the first assessment. Conducted by a certification body and carried out at least annually to assess and ensure continued conformity. It is a shorter audit than the initial and recertification audits. It ensures that representative areas of the management system are monitored on a regular basis. The focus is improvements, internal audits, management reviews, complaints, operational control, effectiveness of the SMS against service management objectives, areas of major change and any weaknesses identified during the previous audit. .

First party audit / Conducted by the service providers own resources, or external consultants selfacting on their behalf. An internal audit for ISO/IEC 20000-1 should meet the assessment requirements of Part 1, Clause 4.5.4.2. A "self-assessment" can be conducted the service providers personnel used to monitor and analyse a process and provide feedback to management on the effectiveness of the process and the benefits of any improvement. Second party Audit by a person or organisation that has a user interest in the service audit provider e.g. customer Third party audit Audit by a conformity assessment organisation usually referred to as a certification body. They are independent of and have no user interest in the service providers organisation.

Page 10 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Typical outcomes of an assessment or audit by external and internal auditors are shown below. Using the terms from ISO/IEC 17021, Clause 9, a nonconformity is a non-fulfilment of a requirement (in Part 1). Examples are given below. Type of Description outcome Nonconformity - A failure to fulfil one or more requirements of major ISO/IEC 20000-1 or a situation that raises significant doubt about the ability of the SMS to achieve its intended outputs. Examples

A whole process is missing, such as a service management process not performed, i.e. a significant requirement is not fulfilled by the SMS. Nonconformity All other nonconformities that are not major. For A correction is planned for a minor example a few defective records. Any failure to failure to agree the service fulfil a significant requirement where there is an continuity plan with the agreed plan for correction and corrective action customer. for the nonconformities, even if that nonconformity is major. Opportunity for A feature of the SMS where action does not Examples of opportunities for improvement need to be taken. Opportunities for improvement improvement can be slow (sometimes must not be used instead of a nonconformity. In implementation of agreed 'observation'). some assessments 'observations' are used to improvements or service note an unusually good feature of the SMS. levels that compare badly to industry benchmarks, even if the service targets are met. Observations can be fast and low risk turn-round of change requests, services that are exceptionally good value to the customerOut of scope An aspect that is not in scope of the standard The procurement process. and does not need to be audited.

Page 11 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Appendix B - Complementary standards and best practices

This appendix provides supporting information about ISO/IEC 20000, related standards and ITIL best practices that can be used in examination questions. Those that are most relevant are: Management system standards ISO 9001, ISO/IEC 27001; ITIL Service management best practices; ISO/IEC 38500:2008 and COBIT for governance of IT; Software asset management series, ISO/IEC 19770. Aspect Purpose ISO/IEC 20000-1 A standard that can be used for a conformity assessment of an organisations service management system (SMS). To be certified a service provider must fulfil all requirements of the standard. Focus is service management. It is specifically designed to ensure the use of best practice processes for service management. The information security management process requirements have some similarities to ISO/IEC 27001 controls, but are not the same. ISO 9001 A standard that can be used for a conformity assessment of an organisations quality management system (QMS) ISO/IEC 27001 A standard that can be used for a conformity assessment of an organisations information security management system (ISMS)

Focus

Applicable to all organisations and is therefore more widely applicable than ISO/IEC 20000-1 and ISO/IEC 27001. It can address all working practices in the whole of an organisation.

Covers the requirements and information security management controls for an organisations information security management system that can have a different scope to the service management system in ISO/IEC 200001.

Usage

Many service providers achieve certification to both ISO/IEC 20000-1 and ISO/IEC 27001.

Management Yes, they are all management system standards. Although the management system systems are different there is overlap in general management system standard requirements and in some service management processes, including information security management. All three use the Plan-Do-Check-Act methodology. Conformity assessment and certification ISO/IEC 17021 applies to audits under each of these standards. Note ISO/IEC 17021, Clauses 9.1.1.2 and 9.3.2.2 and Annex E a) The certificate normally lasts 3 years before a full re-audit. However, certification can be suspended and then lost after a surveillance audit which is done at least once a year. Before the three years between full audits there might need to be a complete re-audit, if the service providers circumstances change or there is a major change to the SMS or service. b) ISO/IEC 17021, Clause 9.1.1.2 states: "The audit programme shall include a two-stage initial audit, surveillance audits in the first and second years, and a recertification audit in the third year prior to expiration of certification. The threeyear certification cycle begins with the certification or recertification decision. c) ISO/IEC 17021, Clause 9.3.2.2 states: "Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit following initial certification shall not be more than 12 months from the last day of the stage 2 audit."

Page 12 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Aspect Purpose

ISO/IEC 20000-1 A requirements standard that can be used for a conformity assessment of an organisation's service management system (SMS). To be certified a service provider must fulfil all requirements of the standard. Clause 4 contains general requirements for a service management system, including the service management processes Uses the Plan-Do-Check-Act methodology (Deming cycle) as the basis of a continual improvement cycle

ITIL A set of best practice guidelines that includes advice on how to do service management. ITIL is NOT suitable for a conformity assessment for an organisation or its service management system (SMS). Contains references to ISO/IEC 20000 and the service management system. ITIL practices can be used to achieve the general SMS requirements in ISO/IEC 20000-1, Clause 4. The ITIL Continual Service Improvement publication includes the 7-step improvement process that is mapped to the Plan-Do-Check-Act methodology.

Management system

Plan-DoCheck-Act methodology

Governance of IT ISO/IEC20000-1 does not specify requirements for the governance IT. It only includes requirements for the governance of processes operated by other parties. ISO/IEC38500 is a guidance standard for corporate governance of IT. The purpose of the standard is to promote effective, efficient, and acceptable and lower risk use of IT in all organisations by: assuring stakeholders that, if the guidance in the standard is followed, they can have confidence in the organisations corporate governance of IT; informing and guiding directors in governing the use of IT in their organisation; providing a basis for objective evaluation of the corporate governance of IT. The Control Objectives for Information and related Technology (COBIT5) is a governance and control framework for IT management. It was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). COBIT draws from the expertise of associations members, industry experts, control and security professionals. It provides an objective and practical resource for executive management, business management, IT management and auditors. Software asset management ISO/IEC20000-1 includes requirements for managing software assets in several clauses. The ISO/IEC19770 series can be used for the management, control and protection of software assets, licences and to manage the risks arising from their use.

COBIT is a trademark of the Information Systems Audit and Control Association and the IT Governance Institute.
Page 13 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office

Bibliography
1. ISO/IEC 20000-1:2011, Information technology Service management Service management system requirements 2. ISO/IEC 20000-1:2005, Information technology Service management Code of practice 3. ISO/IEC 20000-2:2012, Information technology Service management Guidance on the application of service management systems 4. ISO/IEC TR 20000-3:2009 , Information technology Service management Guidance on scope definition and applicability of Part 1 5. ISO/IEC TR 20000-4:2010 , Information technology Service management Process reference model for IT service management 6. ISO/IEC TR 20000-5:2009 Information technology Service management Exemplar implementation plan for ISO/IEC 20000-1 7. ISO 9000:2005, Quality management systems Fundamentals and vocabulary (some ISO/IEC 20000 terms are aligned with 9000) 8. ISO9001:2008, Quality management systems Requirements 9. ISO/IEC 27001:2005, Information technology Security techniques Information security management systems Requirements 10. ISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit and certification of management systems 11. ISO/IEC Directives, Part 2: 2011, Rules for the structure and drafting of International Standards Edition 6.0 12. ISO/IEC 19770:2006, Information technology Software asset management Part 1 Processes 13. ISO/IEC 38500:2009, Corporate governance of information technology 14. Cabinet Office (2011). ITIL Service Strategy. TSO, London. 15. Cabinet Office (2011). ITIL Service Design. TSO, London. 16. Cabinet Office (2011). ITIL Service Transition. TSO, London. 17. Cabinet Office (2011). ITIL Service Operation. TSO, London. 18. Cabinet Office (2011). ITIL Continual Service Improvement. TSO, London.
2, 2 2

Page 14 of 14 Copyright BCS 2012 BCS Foundation Certificate in ISO/IEC 20000: IT Service Management Syllabus Version 2.3 September 2012 ITIL is a registered trade mark of The Cabinet Office