Vous êtes sur la page 1sur 96

I S O / I E C 2 0 0 0 0 C E RT I F I C AT I O N

AND

I M P L E M E N TAT I O N G U I D E

Standard Introduction, Tips for Successful ISO/IEC 20000 Certification, FAQs, Mapping Responsibilities, Terms, Definitions and ISO 2000 Acronyms

Notice of Rights: Copyright The Art of Service. All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Notice of Liability: The information in this book is distributed on an As Is basis without warranty. While every precaution has been taken in the preparation of the book, neither the author nor the publisher shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the products described in it. Trademarks: Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.

WRITE A REVIEW & RECEIVE A BONUS EMEREO EBOOK OF YOUR CHOICE: UP TO $99 RRP FREE!
If you recently bought this book we would love to hear from you! Submit a review of this purchase and youll receive an additional free eBook of your choice from our catalog at http://www.emereo.org. How Does it Work? Submit your review of this title via the online store where you purchased it. For example, to post a review on Amazon, just log in to your account and click on the Create Your Own Review button (under Customer Reviews) on the relevant product page (youll find plenty of example product reviews on Amazon). If you purchased from a different online store, simply follow their procedures. What Happens When I Submit my Review? Once you have submitted your review, send us an email via review@emereo.org, and include a link to your review and a link to the free eBook youd like as our thank-you (from http://www.emereo.org choose any book you like from the catalog, up to $99 RRP). You will then receive a reply email back from us, complete with your bonus eBook download link. It's that simple.

TA B L E O F C O N T E N T S
ISO/IEC 20000 Certification and Implementation Guide ........................ 1 Write a Review & Receive a Bonus Emereo eBook of Your Choice: Up to $99 RRP FREE! ................................................................................... 2 Table of Contents ..................................................................................... 3 ISO 20000 Implementation ...................................................................... 7 How to Approach ISO 20000 ............................................................... 8 Myths of ISO 20000 ............................................................................ 10 So Why Bother? .................................................................................. 11 Avoiding Issues ................................................................................... 12 Management ....................................................................................... 13 Obvious? ............................................................................................. 14 Still Facing Resistance ....................................................................... 16 Understand the Threat ........................................................................ 17 Strength in Numbers ........................................................................... 18 Watch out for Hazards........................................................................ 19
3

Misunderstanding? ............................................................................. 20 Need a Coach? ................................................................................... 21 Poorly Written Procedures ................................................................. 23 Poorly Written Procedures (continued) ............................................. 24 Poorly Written Procedures (continued) ............................................. 25 Documentation ................................................................................... 26 Special Departments ........................................................................ 27 How to Deal With It? .......................................................................... 28 Steering Teams ................................................................................... 29 Keep the Momentum ........................................................................... 31 Celebrate Progress ............................................................................. 32 Usual Suspects .................................................................................... 33 Prepare for Audit................................................................................ 34 Prepare for Audit (continued) ............................................................ 35 Going the Distance ............................................................................. 36

Make it Simple .................................................................................... 37 Management Review........................................................................... 38 Internal Audits .................................................................................... 39 Other Tips for Maintaining Success ................................................... 40 Other Tips for Maintaining Success (continued) ................................ 41 Roles & Responsibilities ..................................................................... 42 Certification Process .......................................................................... 43 Accredited Program Providers........................................................... 45 After the Certification What Happens Next? ................................... 46 ISO/IEC 20000 Certification .............................................................. 48 Personal Certification ........................................................................ 49 Qualification Scheme.......................................................................... 50 Mapping Responsibilities: Understanding Who Does What ............... 51 Techniques .......................................................................................... 52 RACI Matrices .................................................................................... 59

Tips for Successful ISO/IEC 20000 Certification Summary .................. 63 ISO/IEC 20000 Frequently Asked Questions ......................................... 65 Terms and Definitions Associated with ISO 20000 ............................... 83 List of Acronyms Associated with ISO 20000 ....................................... 90 Further Reading ...................................................................................... 95

I S O 2 0 0 0 0 I M P L E M E N TAT I O N

ISO 20000 Implementation

Tips & Techniques

The aim of ISO 20000 inherited from BS 15000 is to provide a common reference standard for any enterprise offering IT services to internal or external customers. Given the importance of communication in Service Management, one of the most important targets of the standard is to create a common terminology for service providers, their suppliers and their customers.

How to Approach ISO 20000

How to approach ISO 20000



If it works dont fix it this is not about perfection. Run a process improvement project Establish process management Integrate with ISO 9001/ISO 27001 Engage your assessor early Map organization & processes to ISO 20000
Plan to fill gaps Identify who needs to know what

Get process owners allocated and briefed


ISO 20000 & ITIL Foundation

Assessors & Implementers train as ISO 20000 consultants Common repository Assessment How comfortable are people with assessment

If there are effective processes in place that meet ISO 20000 then stick with them. Continual improvement will follow. Appoint a project manager as with any project it is important to a single individual to take responsibility. Use existing quality functions and integrate with ISO 9000. ISO 20000 Lead Assessor training is now available. Engage with your assessor early as you need to understand how they work and ensure they have the relevant qualifications. Establish process development & deployment process: review, update, deploy, audit and improve. Common repository ideally accessible online

Assessment How comfortable are people with assessment. If people have not been though an ISO 9000 assessment before then they may need coaching on how to handle audits and what is expected.

Myths of ISO 20000

Myths of ISO 20000


1. I need to know all about ITIL to get ISO 20000 2. Getting the ISO 20000 Certificate is the end game 3. My organization will have to start from scratch

1. You can obtain ISO 20000 without knowing anything about ITIL. However, this would be a missed opportunity. 2. No, getting the ISO 20000 certificate is just a stop on the service improvement journey driven by ISO 20000 requirements. 3. Certainly not, your organization is probably doing a lot of what ISO 20000 requires. The processes need to be implemented into your current environment, not the other way around.

10

So Why Bother?

So why bother?
Common approach to service management By product of process & service improvement Needed to recognize industry best practice ITIL increasingly recognized internationally Accredited assessment scheme Marketplace demand increasing Market advantage

Other examples of benefits ISO 20000 can bring relate to specific issues experienced by organizations worldwide e.g. Reduced duplication of process development effort To improve the transfer of staff across accounts and functions Provide a common framework for driving improvement Provide a common vocabulary & approach Tangible returns - reduced cost of ownership, improved service levels Staff have industry recognized qualifications Service Management recognized as a valuable role Clients assured by a certified and industry best practice approach.
11

Avoiding Issues

Avoiding issues
Without clear and reliable guidance people are generally reluctant to commit to change. No body wants to jump into a cold and unknown waters! Management must make sure the water is warm and welcoming.

Successful implementation depends on Management getting involved from the outset. Staff are generally reluctant to see changes taking in place in their working environment, especially when it involves taking on a new and unknown standard. If managers commit to the project and make their commitment visible, it sends a message that change is occurring from the top. This instills confidence, a sense of urgency and credibility to the changes.

12

Management

Management
So Management need to lead by example. They need to be the first to: Learn about ISO 20000 Planning the project and assigning responsibilities Make their commitment visible by providing resources Rewarding participation in the ISO project

Management commitment is an intangible concept. Compliance to the management responsibility requirements can be shown by documented leadership and actions for the development, implementation and improvement of its Service Management capability.

13

Obvious?

Obvious?
These points may seem obvious but the ISO 20000 registrar named:

Management buy-in and support


as the major obstacle faced by organizations who are attempting to implement ISO 20000.

Commitment of top management is indispensable for the successful implementation of ISO 20000. Leadership is one of the eight quality management principles that stem from ISO 9000. Documents that could demonstrate management commitment are: Records of the appointment of a member of management responsible for the co-ordination and management of all services. Written Service Management policy, objectives and plans Plan implementation results Communication records Documentation of customer requirements, records or customer satisfaction measurements
14

Records of resource determination Records of Service Management review such as review meeting minutes, action plans and follow-ups.

15

Still Facing Resistance

Still facing resistance


Staff need reassurance that there are benefits and light at the end of the tunnel. They need to know : Why is ISO important to this company? What difference will it make? How will it make my job easier? How will it change my job? What will stay the same?

Before any organizational change, it is essential that benefits are explained to all parties involved to gain support, to make the transition as easy and as successful as possible. Strong leadership is required. Another crucial aspect to consider is the cultural aspect of change. When a Service Improvement plan is implemented the focus can often be on the new or changing organizational structure and the new technology. Attention also needs to be paid to the cultural change by; determining the existing culture, identifying supportive behaviors and changing undesirable culture.

16

Understand the Threat

Understand the Threat


Understanding that staff feel threatened is half the battle. They have specific questions that relate to their own job role, responsibility and If I document everything I do, will I still have value? What does corrective action mean? It sounds like I am in trouble. Someone is going to audit my performance? All of a sudden you feel the need to check up on me?

Stakeholders, including customers and employees, must understand how they will benefit from more mature IT management, and why certain changes and measures are being planned. This awareness helps to remove the resistance to changes in established working practices. Underlying Principle: Everybody goes through the different states before embedding the change. Awareness and education prepare the people for the resistance that everybody will be going through. Think about changes that have occurred in your workplace and how you felt during these times.
17

Strength in Numbers

Strength in Numbers
To remove the threat, involve employees in the development process (and explain why decisions are being made): To modify or develop processes to meet the standard use the people that are currently involved in the process. Train all staff on the corrective action and internal audits; emphasize the focus on improving the process.

When creating competence, awareness and training, three quality management principles apply: Leadership: The ability of an individual to influence, motivate and enable others to contribute toward effectiveness and success of the organizations of which they are members. Involvement of People: Peoples special talents have to be recognized and made use of for the organizations benefit. Continual Improvement: The competence and awareness of people have to be developed and enhanced continually.

18

Watch out for Hazards

Watch out for hazards


There may be hazards along the way. This is a new standard for the company, so it is essential that everyone has sufficient knowledge and understanding to perform their role effectively. The company should provide: General introduction training for all staff into the ISO 20000 Consider more advanced training for the project manager and other people in charge of driving the project.

When organizing employees, the focus should not only be on obtaining a good match between the required and available competence, but also on the opportunities to develop competence, transfer expertise and learn skills. Mentors or coaches may support employees. Setting up skills groups can also support the exchange of experience and encourage the development of new competence.

19

Misunderstanding?

Misunderstanding?
It is also essential that all relevant parties have a clear understanding of Parts 1 and 2 of the ISO 20000 standard. Misinterpretation of the Standard can lead to wasted time and effort while: Redesign processes numerous times Over implementing the standard Uncovering major nonconformance during audit, delaying your certification.

The ISO 20000 standard is composed of two parts, under the general title Information Technology Service Management: Part 1 Specification: The formal specification of the standard. Part 2 Code of Practice: describes best practices in detail, and provides guidance and recommendations for the Service Management processes within the scope of the formal standard.

20

Need a Coach?

Need a Coach?
The company may want to consider using a ISO 20000 consultant: To help plan the project Interpret the standard Benefit from their experience Monitor your timeline.

However, properly trained staff will be able to support the organization through the planning and implementation of ISO 20000.

In 2007 EXIN developed a qualification and training program: ISO/IEC 20000 Qualification Scheme for Personnel. This program is designed according to the ISO accreditation standards, so that it can be recognized by the International Accreditation Forum (IAF). The EXIN qualification and training program provides a range of certifications that are explicitly designed to match the ITSM roles mentioned below: ISO/IEC 20000 Foundation ISO/IEC 20000 Professional (5 possible certifications) ISO/IEC 20000 IT Service Consultant/Manager ISO/IEC 20000 Senior IT Service Consultant/Manager ISO/IEC 20000 Internal Auditor ISO/IEC 20000 Lead Auditor
21

The current personal certification offers an international recognized qualification scheme in IT service quality management knowledge and understanding.

22

Poorly Written Procedures

Poorly written procedures


Procedures will be ignored if they appear too complex and can not be understood. Use user-friendly language and make sure procedures are clear and concise.
Why use 10 words when 1 will do?
The items hereinunder referenced in several instances were found to be excessively outside of the minimum parameters required by this standard. Therefore, from immediate effect changes will be implemented and complied with to ensure success

The following list includes items that did not meet the requirements of the standard and will need to be improved.

ISO does not define the term procedure but does require documented and maintained procedures for each process or set of procedures. The ITIL version 3 glossary definition of a procedure is: A procedure is a document containing steps that specify how to achieve an activity. Procedures are defined as part or processes. So when describing the processes, the procedures should also be described.

23

Poorly Written Procedures (continued)

Poorly written procedures cont..


Use short sentences starting with a verb. Avoid using the passive voice. Make it clear who is performing the task. Use white space and user friendly fonts, for easy reading. Dont do too much e.g. work instructions for everything. Dont overlap or repeat e.g. including a process in more than one work instruction. Dont do too little e.g. lack of work instructions where the process affects the quality of the product.

Establish procedures and responsibilities for the creation, review and approval, maintenance, disposal and control of documentation and records. The senior responsible owner should ensure evidence is available for an audit of Service Management policies, plans and procedures. A process for creating and managing documents should be operational. Also protect documentation from damage.

24

Poorly Written Procedures (continued)

Poorly written procedures cont..


It is important that the person who is writing the procedures plays a major role in the process. If procedures are written by someone removed from the process, it will not be successfully implemented. The results will be: Procedure is unrealistic, not practical Procedure fails to address key issues for the process

Just as for processes and procedures, few specifically required documents are mentioned in ISO 20000. However, again this does not mean than at organization, having established only the explicitly required documents, will be automatically certified against the standard. They should be able to prove that they have firmly established all the processes required by the standard, whilst also being able to show the necessary documentation for this (not necessarily on paper).

25

Documentation

Documentation
Remember: the goal here is consistency for your processes. Question: If two trained employees were to perform this task, would they do it the same way? If the answer is no, a work instruction is needed.

Without well documented work instructions an organization would soon be left with just the knowledge that is stored in the heads of people, and people tend to move to other jobs or forget about things and what if they do not agree on a specific issue? Standardization would be a hard quest if we were unable to rely on agreed and well-documented instructions.

26

Special Departments

Special Departments
Are there departments within your organization that have their own rules, require special circumstances or artistic license to complete their tasks? It is possible that you will encounter some resistance to documenting procedures in these areas.

A specific type of evidence required would be records. Records are documents stating results achieved or providing evidence of activities performed.

27

How to Deal With It?

How to deal with it?


It is important to demonstrate to these departments that the processes should be consistent. The creativity takes place within the process. Document the procedure to describe the steps that must be followed, but not to prescribe the detail of their job.

Please keep in mind that ISO 20000 should not be a collection of processes, procedures, documents and records, but rather an integrated management system, with interrelating documentation.

28

Steering Teams

Steering Teams
It is essential to have decision makers and resource providers situated on the steering team to ensure that decisions can be made quickly and by the right people. The steering team must also: Monitor the timeline Remove obstacles Provide resources Coordinate efforts between different groups

The objective of this team will be to ensure all the critical success factors are met: Create a sense of urgency Strong coalition at the top Vision and leadership in maintaining strategic direction, clear goals and measurement of goal realization Acceptance of innovation and new ways of working Common understanding of the business, its stakeholders and its environment IT staff understanding the needs of the business The business understanding the potential of IT

29

Information and communication available and accessible to everyone who needs it Tracking of technology developments to identify opportunities for the business Creating quick wins, without forgetting about the long term benefits Institutionalizing the organizational changes.

30

Keep the Momentum

Keep the momentum


Another issue that organizations face, is loosing the momentum and forgetting about good practice over time. The most common break down is with communication. Employees are left outside the loop and hear less about progress as the project progresses. They become less motivated and uninformed. As the project goes on it is essential that staff are kept informed with progress reports and changes etc.

Communications should have an intended purpose and a clear audience. The audience must have been actively involved in determining the need for that communication and what they will do with the information. Frequency, location and choice of medium for communication should be decided by the individual department and documented in a policy (the choice must serve the goal).

31

Celebrate Progress

Celebrate progress
Involve employees and customers by keeping the project visible. Celebrate progress, achievement of goals and successes by: Get Togethers Employee/Team/Department Recognition Regular communications e.g. reports, newsletters, emails etc. Rewards e.g. financial etc.

Examples of Motivation: Show success (examples from other Organizations, departments) Acknowledge weaknesses (with improvement actions) Ownership (Involve people in the change to develop ownership of the outcome)

32

Usual Suspects

Usual suspects
The usual suspects for non-conformance can be found are within the following areas: Design Control Document Control Purchasing Equipment Corrective Action Training

The documentation of the management system and the process documents have an initial assessment. If there are any audit failures, called non conformances, then they will be added to the Corrective Action Plan (CAP). It is required that clients document how they are going to address these CAPs and returns details to the certification body for agreement.

33

Prepare for Audit

Prepare for audit


Being prepared for audit can only improve your chances of Success. It will also enable staff to get used to the system and the audit environment. To get prepared: Complete one cycle of internal audits Complete one management review Have approximately 3 months of records Have a minimum of one design project documented end-toend (from start to finish).

Once the service provider has carried out the implementation processes for the QMS and an internal assessment shows that the processes meet the ISO 20000 requirements they are ready for The 7 Step Certification Process: Questionnaire Application for Assessment Optional Pre-Audit Initial Audit (Stage 1) Certification Audit (Stage 2) Surveillance Audits Re-Certification Audits

34

Prepare for Audit (continued)

Prepare for audit cont


Make all employees aware of the audit Make sure they know what to expect Inform all relevant parties of the timeframe and content of the audit Do a pre-check of your departments to identify any uncalibrated equipment and uncontrolled documents etc.

A pre-audit is a high-level evaluation indicating where the company currently stands in compliance with ISO 20000. If an organization is new to ISO audits, this will help educate management and staff on what is about to occur. The auditor will point out any areas of concern. Addressing issues at this point reduced risks of non conformance during the actual audit. This early observation can be immediately implemented into the management system, so findings can be fixed before the official audit commences.

35

Going the Distance

Going the distance


Are you fully compliant or just fire fighting?
Once implementation is in progress and staff are on board, there are still challenges ahead. Time will tell if you have implemented a fully compliant system or if further improvements need to be made. Examples of problems that can arise are:
Problem
The system is too complicated and becomes static

Related Issues
the system may have been built as the ideal system, not a reflection of what is actually done. Employees become confused and lose motivation.

A program of regular surveillance audits is agreed to verify that the requirements of the ISO 20000 standard continue to be met, and again, CAPs will be raised if appropriate. These surveillance audits are undertaken over a three year cycle to ensure that the management system is working properly. This is performed in addition to the internal audits and to ongoing monitoring and management that are performed internally.

36

Make it Simple

Make it simple
If problems arise, dont be afraid to make changes to the system. If necessary, simplify the procedures. Once they have been used, feedback can be obtained on how well they are working. This feedback can be used to identify specific areas for improvement. Dont expect the system to be perfect immediately.

Auditing for improvement using Key Performance Indicators is a common method of tracking metrics. Trend analysis can be done by using a Balanced Scorecard. A Balanced Scorecard contributes to organizational performance management. The goals for organizational performance management should include four perspectives: Customer Perspective: Relevant to most processes and particularly to SLM with documented targets. Internal Process Perspective: Include the ISO 20000 processes Learning and Growth Perspective: Staffing, training and investments in software. Financial Perspective: IT Financial Management covers how costs and charges are allocated to the customer organization.
37

Management Review

Management Review
If your current Management Review becomes ineffective ask questions to identify were gaps are found e.g. Evaluate the data that is provided. Is it enough to communicate to Management how the quality system is working? Is Management assigning action items and following up on them? Is Management devoting enough time to the Management review?

Targets should be measurable, linked to business objectives and documented in a plan. The review should be actively managed, and progress should be monitored against formally agreed objectives.

38

Internal Audits

Internal Audits
If your current Internal Audit becomes ineffective ask questions to identify were gaps are found e.g. Is Management committed? Are employees available for the audit? Auditees Auditors Is it always the same person auditing? It may be time for a change, new people mean new perspectives!

An independent evaluation is needed to assess the performance, and is also required by customers and third parties. The results can be used to update the agreed measures in consultation with the customers, and also for their implementation. The results of the evaluation may suggest changes, in which case an RFC is defined and submitted to the change management process. Unlike self assessments, the same personnel that act in the other sub processes do not undertake audits. This is to ensure that the responsibilities are separated. An internal audit department may undertake audits.

39

Other Tips for Maintaining Success

Other tips for maintaining success


Assign responsibilities to a variety of people; dont assume that the Quality Manager has to be responsible for everything. Use other coordinators for dealing with: Corrective actions Training Records Equipment Quality Records Internal Audits.

Share the load. Make sure roles and responsibilities are allocated and aligned with specific tasks.

40

Other Tips for Maintaining Success (continued)

Other tips for maintaining success cont


Use the system that you have built its not just for show: Implement corrective actions Training Records Emphasize the importance of Corrective action Management Review Internal Audit Continue Training

The system is not just to obtain ISO 20000 certification. It can provide a basis for real growth and success for the business, if it is used correctly and consistently.

41

Roles & Responsibilities

Roles & Responsibilities


itSMF UK register certification bodies (RCBs), who grant certification. Most countries have local certification bodies, that perform certification audits. Certification bodies are registered with the national accreditation body. Many national accreditation bodies are registered with the International Accreditation Forum (IAF) Certificates issued by IAF Multilateral Recognition Arrangement (MLA) assures customers that the certificate is credible. This process of certification and accreditation assures international customers that the process of certification in guaranteed.

For more information on roles and responsibilities, see the Mapping Responsibilities section of this book.

42

Certification Process

Certification Process
Once the service provider has carried out the implementation processes for the QMS and an internal assessment shows that the processes meet the ISO 20000 requirements they are ready for The 7 step certification process: 1. 2. 3. 4. 5. 6. 7. Questionnaire Application for assessment Optional pre-audit Initial audit (stage 1) Certification audit (stage 2) Surveillance audits Re-certification audits

There are numerous benefits to being certified: Implementing ISO 20000 improves business process effectiveness and efficiency and saves money. Most companies implementing ISO 2000 certification subsequently report increases in process efficiencies, higher customer satisfaction and improved service quality. Customers are assured that the development and delivery of services complies with globally accepted standards. Companies should ensure they are pursuing certification for the right reasons:

43

To qualify for new customers more and more corporations see ISO 20000 certification as an essential requirement for conducting business with a new vendor.

To enter global markets ISO 20000 standards are widely recognized. To have better documentation available for numerous purposes. To give the company a competitive edge and show the drive for quality services.

44

Accredited Program Providers

Accredited Program providers


There a re-number of factors which can influence the quality of an ISO 20000 program: Quality of the tutors Planning of the course Suitability of the venue Consistency of the program materials with ISO 20000 Experience of the attendees Use of practical oriented examples Assignments Possibilities for group discussions

Examination bodies co-operate closely with their accredited training organizations to monitor the quality of the training provided.

45

After the Certification What Happens Next?

After the certification what happens next?


Audit Plan [example] Pre-audit / internal audit Certification audit Half surveillance audit Half surveillance audit Re-certification audit 2nd 1st

Year 0

Year 1

Year 2

Year 3

Full

Partial

Partial

Partial

Partial

Full

You will need to re-certify after 3 years and it is considered good practice to partial audits at least once a year to ensure that the focus stays on process management control and doesnt slack off. Cost would be similar to ISO 9000 audits. When you choose your registration body cleverly, you might be able to combine the ISO 20000 audit with the ISO 9000 audits and ISO 27001 audits. Annual surveillance audits are required. Internal audits are required by part 1 and the certification scheme (section 4.3).
46

What happens if non-conformance is found? If a major non-conformance is found during the initial audit, the auditor will not issue the certificate. If a major non-conformance is found during a surveillance audit, the auditor will require that the non-conformance be rectified. If a minor non-conformance is found, the auditor may require a follow-up audit.

47

ISO/IEC 20000 Certification

ISO/IEC 20000 Certification

Can I be ITIL Certified? Can I Certify my Service Desk? Can I Certify my Product or Service?

Can I Certify my Service Management Processes?

It is important to clarify what can and what cannot be certified. ISO 20000 provides certification of IT Service Management processes. The ISO/IEC 20000 standard has been developed as a standard against which service providers can be certified. A service provider that wishes to express their adherence to quality in IT Service Management can have its IT organization independently certified.

48

Personal Certification

Personal certification
Internationally recognized qualification professionals in ISO 2000 is of increasing importance both to organizations and individual professionals. Optimizing professionalism is an important factor of successful IT service improvement programs. Staff commitment for such programs can be boosted by challenging and rewarding employees with internationally recognized certifications.

In order to become ISO 20000 certified, companies should be able to show that they have a quality management system in place and their ITSM processes should be firmly established. The standard is quite succinct when it comes to requirements that personnel involved in providing the services should meet. It is assumed that the execution of the provisions of this part of ISO 20000 is entrusted to appropriately qualified and competent people.

49

Qualification Scheme

Qualification Scheme

Earning an independent certificate represents solid evidence of your successful completion of the course requirements. It illustrates your dedication to becoming more competent and valuable to your organization and to the customers you serve.

50

MAPPING RESPONSIBILITIES: U N D E R S TA N D I N G W H O D O E S W H AT
Achieving ISO/IEC 20000 requires roles and responsibilities to be clearly defined. Clarity on who does what avoids confusion, variations in processes that ought to be consistent, and inefficiency in delivery of the service. This is particularly important if roles and responsibilities need to change, as they often will when a service provider is aiming for the kind of best practice model specified in ISO/IEC 20000. ISO.IEC 20000 recognizes that each service provider may implement and allocate roles differently. It does not specify how roles and responsibilities should be documented; matrices, in various forms can be used for this.

51

Techniques
Matrices can be used to supplement job descriptions and process procedure documentation, see Tables 1-6 for examples. Responsibility matrices provide a compact, concise and easily managed method of tracking who does what in each process and between processes, which is better than a large volume of text. The examples given in Tables 1-6 are used by real service providers, and re tuned to their needs and environments. They are included to illustrate the use of responsibility matrices and are not generic nor are they models for another service provider to adopt. Specific examples of responsibility matrices are also available in best practice material, such as that found in ITIL The examples included are samples from the service level management and service reporting processes. In the example shown the service review is used to describe the customers future business plans and needs and the current operational service. Each entry could be broken down further to lower levels of detail in a logical hierarchy to map onto a procedure or even to clarify responsibilities at work instruction level. Matrices such as those in Tables 2-6 will help a service provider meet the ISO/IEC 20000 requirements for competence, awareness and training.

52

Table 1: Key to abbreviations for Tables 2- 4


Abbreviation BRM Role Business Relationship Manager Description Person responsible for the relationship with the business. Has overall responsibility for the relationship with the customer and for customer satisfaction. IM Incident Manager Person responsible for the effectiveness of the incident management process. OM Operational Manager Person responsible for managing delivery of a service team. Has line management responsibility for staff delivering that service. SLR Service Level Reporting team People documenting service level achievement and explanation of exceptions.

53

Table 1: Key to abbreviations for Tables 2- 4 (continued)


What?... states what needs to be achieved When? explains when the particular process/procedure must be followed Why?... explains why the practice exists and how it has been developed How?... explains how the practice is achieved Who?... tells which members of the team are responsible

54

Table 2: Service Review Meetings


What Customer: Hold meetings, document appropriately, monitor and own actions When As appropriate, but within published schedule Why a) Ensure service level agreement (SLA) reflects customer needs b) Ensure agreed services are met c) Provide audit trail of issues / actions Internal: Hold meetings, document appropriately, monitor and own actions As appropriate but within published schedule a) Ensure SLA reflects customer needs b) Ensure agreed services are met c) Provide audit trail of issues / actions d) Encourage participation / team work e) Understand customers business plans f) Incorporate internal planning Define agenda, dates, participants BRM OM How Define agenda, dates, participants Who BRM OM

55

Table 3: Service Level Reporting


What Design and content awareness When Start of responsibility / SLA changes Why In order to ensure that report is accurately measuring SLAs How Review report and crossreferenced with SLA Production As per contract To ensure that data contained within report is accurate and complete Verification After production of report To ensure that data contained within report is accurate and complete Delivery As per SLA To provide customer with SLA measurement information Electronic and / or paper bound report distributed SLR IM BRM Review report SLR OM Review report SLR OM Who SLR OM

56

Table 4: Incident and Internal Reports Incident Report


What Production When Upon request of BRM / customer / IM or as detailed within SLA Delivery Within 5 working days of incident or as detailed within SLA To cascade information to customer and internal support teams Electronic / paper bound report distributed. Review content with BRM prior to distribution Sign-Off As timetabled in the incident report To ensure that planned actions are carried out by the business Review status with OMs until all actions closed IM IM BRM Why To detail impact, and to action prevention of recurrence How Standard format on incident report database Who IM OM

57

Internal Report (for Delivery Team)


What Production When Within agreed timescales Why Inform line manager on service and financial status How Commercial internal report template Who BRM Team Leaders

58

RACI Matrices
Matrices that identify who is accountable, responsible, consulted or informed (ARCI) are also useful. These are generally referred to as RACI matrices. Differences in RACI Roles The differences in roles are normally based on guidelines such as: Accountable (i.e. the buck stops here): o o Person with YES/NO authority, sign-off, approval, veto Should be no more than one per row

Responsible (i.e. the doer): o o o Takes initiative to accomplish a task/function/decision Develops alternatives Consults and informs others

Consulted (i.e. kept in the loop): o o o Asked for input prior to decision/action Part of two-way communication Can be initiated or solicited

Informed (i.e. keep in the picture): o o o o Told about a decision/action usually after the fact Permission is not sought from this person One-way communication May be prior to going public to a wide audience
59

The accountable, responsible, consulted and informed states can be mapped against each process or sub-process, and used in conjunction with a process map or a procedure. Documenting roles and responsibilities this way reduces some of the ambiguity that can arise from a purely text-based description. Table 5 given an example matrix for the change management process. A lower level of detail may be useful for each of the tasks shown in the matrix in Table 5. An example of a lower level is given in Table 6 for task number four: Build, test and implement change.

60

Table 5: ARCI Matrix Example (Level 1)

Task 1. Log request for change (RFC) 2. Categorization RFC 3. Assess, appraise and schedule RFC 4. Build, test and implement change 5. Verify and close

Accountable Change Initiator

Responsible Change Initiator

Consulted

Informed

Change Manager

Change Manager

Configuration Manager

Change Manager

Change Manager

Configuration Manager

Implementation Manager

Implementation Manager

Change Manager

Configuration Manager

Change Manager

Change Manager

Configuration Manager

61

Table 6: ARCI Matrix Example (Level 2)


Task 4.1 Build change 4.2 Test change Accountable Development Manager Test Manager Responsible Development Manager Test Manager Consulted Change Manager Change Manager 4.3 Implement change Operations Manager Operations Manager Change Manager Informed Configuration Manager Configuration Manager Configuration Manager

62

TIPS FOR SUCCESSFUL ISO/IEC 2 0 0 0 0 C E RT I F I C AT I O N S U M M A RY


Executive and top management have to support the initiative As personnel and financial resources are under constant pressure to succeed with such an extensive project while taking care of daily business. Motivate and successfully engage the staff All involved employees have to embrace the certification as their own personal goal. Management needs to motivate employees and position them properly according to their skills. However, it also requires the commitment to replace objectors and naysayers if necessary. Conduct risk analyses upfront It is important to estimate upfront what challenges may occur and what measures can be taken to quickly address them if necessary. Make processes operational The project leaders have to understand from the beginning how to implement the newly defined or improved processes and which measures are necessary to do so. Also the selection of the right IT service management software plays an important role.

63

The certification is only the first step A service initiative does not end with the certificationit starts with it! The ISO 20000 certification is an investment in the future of the company, which will result in increased quality and customer satisfaction. To achieve this, the goals must be continuously pushed forward and routinely checked even after successful certification.

64

I S O / I E C 2 0 0 0 0 F R E Q U E N T LY ASKED QUESTIONS
What is ISO/IEC 20000? ISO/IEC 20000 is the International Standard for IT Service Management. This is based on the British Standard, BS15000, with minor but not significant changes. ISO/IEC 20000 was published in mid December 2005. ISO/IEC 20000 provides a recognized accreditation against which an organization can demonstrate to their customers that its IT Service Management processes represent best practice. The certification scheme for BS15000 run by itSMF has been updated to become the scheme for ISO/IEC 20000. What are the benefits of ISO/IEC 20000 certification? Development an ISO/IEC 20000 standard compliant IT service organization will take time and will often lead to some organizational change. However, the benefits of having a proven, conformant best practice IT service provision is: A more competitive business Aligned IS/IT strategy with the overall business strategy Managed and reduced risk
65

Tangible cost savings More effective supplier management Market leverage and competitive advantage (through the status of compliance / certification) Improved reputation and greater consistency and interoperability Faster time to implement change Improved reliability and availability of service, leading to improved customer satisfaction Suppliers and partners will become more integrated and service focused Possibility of benchmarking with other organization

Who is ISO/IEC 20000 for and why should I be interested? All businesses large and small will be interested in ISO/IEC 20000, as it is the recognised means of benchmarking the delivery of IT to the business. It is sector independent, and relevant to both public and private sector organizations. The main parties that may take specific interest in ISO/IEC 20000 are providers of IT service management services, businesses outsourcing their IT services, businesses managing their own IT services and all providers wishing to benchmark their existing IT service management services.

66

Certification to ISO/IEC 20000 through the itSMF scheme provides an independent, industry-wide recognition of an organisations IT Service Management capabilities, and there is already evidence that certification is becoming a requirement in tenders etc. Why are Standards important? In terms of IT Service Management, an ever-increasing demand to improve services through the use of emerging technologies and to transact business nationally and internationally, standards provide a common and consistent platform for organisations to work from. For example, one of its uses is to allow existing providers to benchmark their IT service management. How is certification achieved? The process is similar to that used by other ISO standards, such as ISO 9001 and ISO 27001. It requires adoption of the requirements of the standard, and demonstration of adherence via audit by a third party, which is known as a certification body. An assessment can be carried out by external auditors from a recognized certification body to provide you with a conformance report and, if successful, a certificate for your organization.

67

Who are the certification bodies? There are a growing number of accredited certification bodies. Examples include BSI, Certification Europe Ltd, DNV, DQS, Japan Quality Assurance Organization, LRQA, SGS, STQC and TUV. How long will it take to become ISO/IEC 20000 certified, and how much will it cost? Every organisation is different so there can be no single answer. Your existing level of maturity in service management, the scope of the audit, the size of your company, the resources that can be dedicated to the certification programme will all impact on the time to gain ISO/IEC 20000. For this reason, it is always recommended that organisations undertake an assessment of their current compliance before decided on an accreditation plan. This produces a realistic and achievable approach which maximises the change of early success. For more information, contact one of the Registered Certification Bodies who will usually arrange for a quotation following initial discussions. The reality is that a formal audit is usually a very small proportion of the total cost that an organisation will incur in implementing a service improvement programme.

68

How is conformance with ISO/IEC 20000 demonstrated? Conformance can be demonstrated in various ways, both internally and externally. Internal reviews can be used to assess on a more details level whether the current IT Service Management processes conform to the standard and establish areas for improvement. These reviews might be part of an existing Continuous Service Improvement Program. External reviews tend to be less details but are likely to be seen as a more objective and so carry greater weight that internal ones since they are both impartial and independent. If a Registered Certification Body (RCB, commonly known as an external auditor) conducts the external review and you meet the certification criteria, your organization can become certificated as part of the scheme. You can then display the ISO/IEC 20000 certification logo. This demonstrates that you have been independently assessed as having adequate controls and procedures in place and that you are able to consistently deliver a quality of service. There is a list of accredited RCBs on at www.bs15000certification.com.

69

What is BS15000? BS15000 is the British Standard for IT Service Management. As of midDecember 2005, this was replaced by the international standard, ISO/IEC 20000. I have BS15000 consultant/auditor qualification. What happens to that? BS15000 and ISO/IEC 20000 only have minor differences so your current qualification will be equally useful in supporting organizations with certification for ISO/IEC 20000. You now need to understand the differences between the two standards. BSI has published a booklet to accompany ISO/IEC 20000 that details the exact changes between the two standards. See www.bsi-global.com. Full details are posted on www.bs15000certification.com. I have been working to achieve BS15000. Is this a wasted effort? Because ISO/IEC 20000 is so similar to BS15000, any preparation activities previously made for BS15000 will be equally valid for ISO/IEC 20000. There are 16 changes to requirements in ISO/IEC 20000, all of which are minor.

70

How does the transition between BS15000 to ISO/IEC 20000 certification work? The certification body, itSMF, has issued guidance on the transition which can be found on www.bs15000certification.com. I already have ISO 9000 certification. Why do I need ISO/IEC 20000? ISO 9000 is applied and used by all organisations in different sectors and industries and whilst it has certain attributes and benefits that are valuable to your existing commercial relationship, you should consider whether you wish to have a specific certification for the IT Service Management (ITSM) component of your business. ISO 9000 addresses all working practices in a business, without concentrating specifically on IT Service Management processes (although they may be included at a detailed level). ISO/IEC 20000 is a focused specification for IT service management, its terminology is that of IT service management and all types of assessment will need to be carried out by competent auditors in order to provide you with an assessment report and a certificate if successful, which will be totally aligned with your IT service management business.

71

ISO/IEC 20000 addresses only the IT Service Management processes, and the supporting Management System. Adoption of ISO/IEC 20000 is therefore relevant to those organisations which specifically wish to target their IT Service Management processes, and is not directly related to the adoption or continuance of ISO 9000. There is however some areas of overlap between the standards. Should the principal purpose of your business be ITSM, then ISO/IEC 20000 is virtually essential. Is an existing ISO 9001 certification of benefit? Yes. An existing ISO 9001 Certification indicates that the knowledge and processes of a structured QMS are already accepted and in use. It should quicken the process, and provides the opportunity for both certifications to be assessed together. Which other frameworks can be used with ISO 20000? Whilst ITIL is the most common and most closely aligned, it is by no means mandatory to use it. Other potential frameworks/methods include MOF, COBIT and Six Sigma.

72

As a business seeking ISO/IEC 20000 certification, what external help is available? There are a number of organizations that have qualified consultants who can advise on the appropriate course of action required. In addition, many RCBs will offer pre-audit evaluations to help the organisation understand its current status. In addition, BSI has produced a series of books to assist with understanding different aspects of a full service management solution. Contact us for further information. As an ITIL Service Management Consultant with an interest in ISO/IEC 20000, how can I help my clients? Your consultants should become qualified in ISO/IEC 20000. See the Qualification Scheme on the following page.

73

I believe there are many quality standards available. How do they compare and overlap? There are many Quality Standards, frameworks and methods available and being unsure which one to examine or implement is understandable. You may have heard of MOF, CoBIT, CMM, TickIT, ISO 9000, ISO27001, EFQM, Six Sigma, Balanced Scorecard and SarbannesOxley. Most are not Standards in the strict sense, but simply tools to help organisations operate more efficiently and effectively. It is important to understand the scope and purpose of each one, and then to match this to what you are trying to achieve in your organization.

74

ISO/IEC 20000 is unique in that it mirrors ITIL Service Management principles. ISO/IEC 20000 will be readily understood by anyone with ITIL qualifications. MOF, for instance, a branded product, openly states that it utilises ITIL principles, but also concentrates on the use of Microsoft products in its implementation. TickIT works in conjunction with ISO 9000 and focuses on application development and project management. CoBIT focuses on corporate governance and can be used with ITIL. Six Sigma is a process improvement tool but is not specific to ITSM and can be used with ITIL. CMM is a maturity measure for primarily application development and project management processes. Most quality systems, by their very nature, will overlap with each other. The most common overlap will be in the areas of quality management, training, documentation audit and conformance. A significant point in the adoption of or conversion to another standard is to avoid discarding any process, procedure or documentation without serious examination.

75

In what ways will ISO/IEC 20000 help me? As well as the potential external marketing and commercial benefits, it provides a recognised and tried and tested management system which allows an IT service organisation to plan, manage, deliver, monitor, report, review and improve its services. It not only looks at operational aspects but also focuses on the business controls covering associated risks, finances, resources and capabilities, providing a proper infrastructure to enable a traditional Plan, Do, Check, Act (PDCA) cycle to be implemented and managed. Our IT is distributed around the UK (and even overseas). Can sites be certified separately? The scoping statement will be agreed with the Registered Certification Body carrying out the assessment and may restrict the scope of the audit and certification to certain services, geographies, locations etc. It is not mandatory for all of an organisation to be certified. This makes it essential for customers seeking an organisation which is ISO/IEC 20000 certified to ask to see the scoping statement to ensure the services they require are actually covered. We do not have all the processes in place. Can we become partcertified? The simple answer is NO.

76

All of the ISO/IEC 20000 requirements have to be in place at an appropriate level. It is not permitted to exclude parts of the standard by, for example, declining to carry out one or more of the processes. Some processes may be outsourced, but they must be performed and the organisation being audited must demonstrate effective management control of those processes, including the interfaces with other, internal service management processes. What Are the Benefits of ISO/IEC 20000 Certification? Primarily, the organisation will become more competitive, reducing the risk, cost and time to market new products and services, whilst improving value for money and service quality. They will be able to manage suppliers more effectively. Service providers will become more responsive, with services which are business-led rather than technology-driven. Your IT service is more likely be chosen, or renewed over that of a competitor that does not demonstrate ISO/IEC 20000 certification, providing both a competitive edge and demonstrating a visible commitment to managing the provision of IT services. It will provide enablers to visibly support the business strategy, with opportunities to improve the efficiency of services in all areas, impacting on costs and service.

77

An operational benefit is to clearly demonstrate service reliability and consistency, which in any environment is critical to business survival and potential growth. Certification audits are continual and should be treated as a mechanism for educating and raising awareness of employees. Certification can also reduce the amount of supplier audits thereby reducing costs. Finally, the use of qualified and independent auditors can be used as a benchmark. What are the origins of ISO/IEC 20000? ISO/IEC 20000 was adopted as an International standard from the original British Standard (BS 15000). There were minor changes during the internationalisation, mainly to do with formatting and clarity. There were few substantive changes to requirements. The edition of BS15000 (BS 15000-1:2002 & BS 15000-2:2003) that was submitted to ISO was actually the second edition and replaced an earlier version released in 2000 called BS15000:2000. The second edition came about as a result of experience and feedback from early adopters of the 2000 edition. The original standard was based on a Code of Practice for IT Service Management DISC PD 0005:1998.
78

The technical panel which produced BS15000 included representation from the British Computer Society (BCS), the Office of Government Commerce (OGC) and the IT Service Management Forum (itSMF) as well as from IT organisations and technical experts. BS 15000 was aligned with ITIL, best practice guidance and advice first published by the UK government in the 1980s. Today, ITIL is the globally accepted de facto standard for best practice processes in ITSM. ITIL was a major contributor to the development of ISO/IEC 20000, in that its major processes have been adopted entirely, and augmented by a few key management processes. What is ITIL? ITIL provides proven best practices in IT Service Management (ITSM), derived from public and private sector experts world-wide. Currently, the core publications in ITIL are Service Support; Service Delivery; ICT Infrastructure Management; Application Management; Security Management; Planning to Implement Service Management; and The Business Perspective (of ITSM). The processes defined in these publications also formed the core processes in BS 15000 (and hence ISO/IEC 20000)

79

Isnt ITIL Best Practice? Yes it is. ISO/IEC 20000 incorporates all the ITIL Service Support and Service Delivery processes but goes further by separating out Service Reporting and introducing three new processes covering Business Relationship Management, Supplier Management and Information Security Management. Additionally there are three management system processes. ITIL is best practice guidance but it is not possible to be accredited as a company against ITIL. The standard is a specification which provides the company level accreditation to demonstrate the consistent use of best practice. ISO/IEC 20000 does not mandate the use of ITIL. However, demonstrating best practice in IT Service Management is of course far easier if it is underpinned by the use of ITIL. Will ISO/IEC 20000 be readily understood by anyone with ITIL qualifications? ISO/IEC 20000 and ITIL share common terminology so the short answer is yes. Remember that conformance is also based on demonstrating appropriate training and skills to deliver the services being accredited so ITIL training should form a significant part of your Best Practice program.

80

What is the benefit of the logo? Whilst it is possible to seek an opinion from anyone as to whether you meet the standard, only Certificates of Compliance which bear the ISO/IEC 20000 logo confirm that the Certification Body which issued the Certificate is one which has been registered as complying with the stringent requirements of the itSMF ISO/IEC 20000 Certification Scheme. Organisations which have a current Certificate of Compliance bearing the itSMF logo are also permitted to display the logo on their stationery, etc. subject to certain terms and conditions. In this way the organisation can demonstrate their compliance with the standard to a wide audience. Why should I seek certification through the itSMF managed scheme? itSMF are the owners and managers of the ISO/IEC 20000 certification scheme. itSMF is generally accepted as the leading body of expertise for Service Management. Becoming certified against ISO/IEC 20000 implies that you have been formally recognised in achieving a rigorous standard in IT Service Management by the organisation which is at the forefront of IT Service Management quality initiatives.

81

Our IT is distributed internationally. Can sites be certified separately? Yes. Eligibility is based on demonstrating management control of all processes within the ISO/IEC 20000 standard relative to the scope of certification. A certification may be scoped by specific sites, departments, or by IT services irrespective of location. Are customers already asking for ISO/IEC 20000 and BS15000 in tender documents? Yes. There are a number of customers asking for statements of supplier conformance, accreditation plans and quality management policies: some are quoting ISO/IEC 20000 or BS15000 specifically as the service requirement. It is likely that this movement will grow and, quite simply, if a prospective supplier cannot demonstrate such conformance, they may not be considered during a tendering exercise. Even if a customer doesnt ask for certification, your service is more likely to be chosen over that of a competitor who does not demonstrate ISO/IEC 2000 or BS15000 certification, providing competitive advantage.

82

TERMS AND DEFINITIONS A S S O C I AT E D W I T H I S O 2 0 0 0 0


Term Accreditation Body Definition Assess organizations that provide certification, testing, and inspection and calibration services. Accreditation by an accreditation body demonstrated competence, impartiality and performance capability of an organization that does audits. Ensures a consistent approach. Accredited Certification Body Organization that performs certification audits, commonly referred to as professional audit companies and which has been accredited by an accreditation body. Availability Ability of a component or service to perform its required function as a stated instant or over a stated period of time. Note: Availability is usually expressed as a ratio of the time that the service is actually available for use by the business to the agreed service hours.

83

Term Baseline

Definition Snapshot of the state of a service is actually available for use by the business to the agreed service hours.

Certification

Procedure by which a 3rd party gives written assurance that a product, process or service conforms to specified requirements. ISO/IEC 20000 certification means meeting the specified requirements following an independent audit by an accredited certification body.

Change record

Record containing details of which configuration items are affected and how they are affected by the authorized change.

Code of Practice

A standard that recommends good, accepted practice as followed by competent practitioners. Recommendations in a code of practice use the auxiliary should. A code of practice will not contain the verb form shall.

84

Term Compliance

Definition Meeting the requirements in ISO/IEC 20000 (or another national or international standard), as assessed by an internal audit or an organization that is not an accredited certification body or qualified to carry out ISO/IEC 20000 certification audits. Compliance includes Self-certification audits.

Configuration Items (CI)

Component of an infrastructure or an item which is, or will be, under the control of configuration management. Note: configuration items may vary widely in complexity, size and type, ranging from an entire system including all hardware, software and documentation, to a single module or a minor hardware component.

Configuration Management Database (CMDB)

Database containing all the relevant details of each configuration item and details of the important relationships between them.

85

Term Document

Definition Information and its supporting medium. Note 1: In this standard, records are distinguished from documents by the fact that they function as evidence of activities, rather than evidence of intentions Note 2: Examples of documents include policy statements, plans, procedures, service level agreements and contracts.

Incident

Any event which is not part of the standard operation of a service and which causes or may cause an interruption to , or a reduction in, the quality of that service.

Normative

Indicating compulsory provisions in a standard (as opposed to informative provisions which are purely there for information).

86

Term Problem

Definition Unknown underlying cause of one or more incidents.

Record

Document stating results achieved or providing evidence of activities performed. Note 1: In this standard, records are distinguished from documents by the fact that they function as evidence of activities rather than evidence of intentions. Note 2: Examples of records include audit reports, requests for change, incident reports, individual training records and invoices sent to customers.

Release

Collection of new and/or changed configuration items which are tested and introduced into the live environment together.

Request for change

Form or screen used to record details of a request for change to any configuration item within a service or infrastructure.
87

Term Service Desk

Definition Customer facing support group who do a high proportion of the total support work.

Service Level Agreement (SLA)

Written agreement between a service provider and a customer that documents services and agreed service levels.

Service Management

Management of services to meet the business requirements.

Service Provider

The organization aiming to achieve ISO 20000.

Shall

Verb forms that identifies a recommendation, i.e. the guidance provisions in ISO/IEC 20000. This is used extensively in ISO/IEC 20000. In ISO/IEC 20000 the word should occurs only in the Notes, as these represent explanations similar to the advice in ISO/IEC 20000.

88

Term Specification

Definition A standard that sets out detailed requirements, using the prescriptive shall, to be satisfied by a product, material process or system. In ISO/IEC 20000 the verbs shall (and should) refer to aspects of the management processes, also including policy, procedures, plans and objectives.

89

L I S T O F A C R O N Y M S A S S O C I AT E D
WITH

ISO 20000
Accredited Course Provider American National Standards Institute Australian Standard Business Process Modeling British Standard Balanced Scorecard British Standard Institution Change Advisory Board Corrective Action Plan Central Computer and Telecommunications Agency (British Government, now OGC)

ACP ANSI AS BPM BS BSC BSI CAB CAP CCTA

CEO CFIA CIO CI CISM CMDB

Chief Executive officer Component Failure Impact Analysis Chief Information Officer Configuration Item Certified Information Security Manager Configuration Management Database

90

CMM CMMI COBIT CPD CRAMM CSI CSF CSS DML DSL EA EFQM ENAC ESP FISM FSC FTA IAF IRCA IS

Capability Maturity Model Capability Maturity Model Integration Control Objectives for IT Continual Professional Development CCTA Risk Analysis and Management Method Continual Service Improvement Critical Success Factor Customer Satisfaction Surveys Definitive Media Library Definitive Software Library European cooperation for Accreditation European Foundation for Quality Management Entidad Nacional de Acreditacion (Spain) External Service Provider Fellow of the Institute of Service Management Forward Schedule of Change Fault Tree Analysis International Accreditation Forum, Inc. International Register of Certificated Auditors Information System
91

IEC ISACA ISO ISM ISMS IT ITIL ITOCO ITSM ITSCM itSMF ITT JAB

International Electrotechnical Commission Informational Systems Audit and Control Association International Organization for Standardization Institute of Service Management Institute of Security Management System Information Technology Information Technology Infrastructure Library Input-Throughput-Output-Control-Outcome IT Service Management IT Service Continuity Management IT Service Management Forum Invitation to Tender The Japan Accreditation Board for Conformity Assessment

JQA KPI MI MISM MLA MOF

Japanese Quality Association Key Performance Indicator Management Information Member of the Institute of Service Management Multilateral Recognition Arrangement Microsoft Office Framework

92

MTRS NAB OGC OLA OSS PDCA PIR PRINCE2 QMS RAID RCB RfC RfP ROI RvA SANS Institute SEI SIP SLA SLM

Mean Time to Restore Services National Accreditation Body Office of Government Commerce Operational Level Agreement Operational Support System Plan-Do-Check-Act Post Implementation Review Projects In Controlled Quality Management System Risks, Assumptions, Issues, Dependencies Registered Certification Body Request for Change Request for Proposal Return on Investment Raad voor Accreditaire (Netherlands) SysAdmin, Audit, Network, Security Institute Software Engineering Institute Service Improvement Plan Service Level Management Service Level Management
93

SOA SOX SPOF SQM TGA TOP TQM UC UKAS

Service Outage Analysis Sarbanes-Oxley Act Single Points of Failure Service Quality Management German Association for Accreditation Technical Observation Post Total Quality Management Underpinning Contract The United Kingdom Accreditation Service

94

FURTHER READING
For more information on other products available from The Art of Service, you can visit our website: http://www.theartofservice.com If you found this guide helpful, you can find more publications from The Art of Service at: http://www.amazon.com

95