Policies

Service management policy (4.1.1, 4.1.2)

Policy on continual improvement of the SMS and the services (4.5.5.1)
Budgeting and accounting policies (6.4)
Information security policy (6.6)
Change management policy (9.2)
Release management policy (9.3)
Plans
Service management plan (4.1.1, 4.5.2)
Service continuity plan (6.3.2)
Availability plan (6.3.2)
Capacity plan (6.5)
Objectives of internal audits and management reviews (4.5.4.1)
Audit program (4.5.5.2
Plan to implement an improvement (4.5.5.2)
New or changed service plan (5.2) [for removal of service, a removal plan]
Release plan (9.3)
Procedures
Clause 4.3.1 requires documented service management processes. The required processes are
those in Clauses 5 to 9. There are also processes in clause 4 which require a documented
description e.g. resource management, documentation management.
Clause 4.3.1 also requires documented procedures required by this part of ISO/IEC 20000. The
required procedures are:
Communication procedures
Control of documents
Control of records
Internal audit procedure planning and conducting internal audits
Management of improvements
Procedures to be used for the delivery of new or changed services
Procedures to support the budgeting and accounting for services process
Procedures to be implemented in the event of a major loss of service as part of the service
continuity plan
Procedures to enable predictive analysis of capacity
Managing service complaints
Managing contractual disputes
Incident management procedure managing incidents from recording to closure, managing
major incidents
Managing the fulfillment of service requests from recording to closure
Problem management procedure identifying problems and minimizing or avoiding the impact
of incidents and problems
Configuration management procedure recording, controlling and tracking configuration items
Change request procedure recording, classifying, assessing and approving requests for change
Emergency change request procedure managing emergency changes
Managing emergency release procedure
Definitions
There are a few documented definitions required. These are as follows:
Service complaint (7.1), this is often defined in the SLA
Major incident (8.1), this is often defined in the SLA
Types of CI (9.1), this is usually defined in the configuration management process
Other Key Documents
Service requirements (4.1.4)
Catalogue of services (4.3.1, 6.1)
Service level agreements (4.3.2, 6.1)
Documented agreements (6.1), This applies specifically to agreements between internal groups
or customers acting as suppliers that are providing some service components or operating a
process or part of a process. These can be known as operational level agreements (OLAs)
Description of each service report, including its identity, purpose, audience, frequency and
details of the data source(s) (6.2)
Risks to service continuity and availability of services (6.3.1)
Opportunities for improvement, including corrective and preventive actions (4.5.5.1)
Design of new or changed services (5.3) for each new or changed service
Information security controls including the risks to which they relate (6.6.2) and those controls
for external organizations (6.6.3)
Customers, users and interested parties of the services (7.1)
Supplier contracts (7.2)
Roles of, and relationships between, lead and sub-contracted suppliers (7.2)
Records
Records are required to enable control and provide evidence of conformity to the requirements of the
standard (4.3.1). Records can be paper based or kept on tools. Examples of records are minutes of
management review meetings, incident records on a service desk tool and service reports.
Other possible documents
Clause 4.3.1 also refers to additional documents, including those of external origin, determined by the
service provider as necessary to ensure effective operation of the SMS and delivery of the services.
Examples of such documents are user manuals from a software tool vendor or the ISO/IEC 20000
standard itself.