Required ISO 20000 Documents

Document Type

Documentation ISO 20000

Service Management policy

Service Improvement policy

Clause
Standard
ISO20000
3.1 a
4.4.1

Budgeting & Accounting policies

Required
Policies

- For all components

6.4 a

- Apportioning indirect costs

- Efective financial control

6.4 b
6.4 c

Information Security policy

6.6

Configuration item definition

9.1

Emergency Change Policy

9.2

Release policy
Service Management plans

4.1

Management Review plans

4.3

Audit Programme

4.3

Service Improvement

Required Plans

10.1

Planning for new and changed services

4.4.2
5

Business plan

6.3

Avalilability and Service Continuity plans

6.3

Capacity plan
Configuration Management
Release plan

6.5
9.1
10.1

Management of Improvement

4.4.2

Budgeting & Acccounting

- For all components

6.4 a

- Apportioning indirect costs

- Effective financial control

6.4 b
6.4 c

Complaints process

Required
Processes

7.2

Required
Processes

Required
Procedures

Customer Feedback

7.2

Supplier Management

7.3

- Contract Review
- End of Service
- Contractual Dispute
Communication process
Major Incident Management

7.3
7.3
7.3
7.3
8.2

Change Management

9.2

Emergency Release

10.1

Document Control

3.2

Audit Procedure

4.3

Service Capacity Monitoring &

Performance

6.5

Security Incident Investigation

6.6

Incident Management
Problem Management
Configuration Control
Configuration Audit

8.2
8.3
9.1
9.1

Control of Emergency Changes

9.2

Release Management

Additional Core
Processes

Service Level Management

6.1

Service Reporting

6.2

Service Continuity and Availability

Management

6.2

Capacity Management

6.4

Information Security Management

6.5

Business Relationship Management

7.2

Incident Management
Problem Management

8.2
8.3

Configuration Management

9.1

Release Management
Scoping

Additional
System

10.1

10.1

Additional
System
Elements

Required
Records*

Risk Management

3.1

Competence, Awareness, Training

3.3

Management System Integration

N/A

Risk Management analysis

Corrective and Preventative Action
Reports
Service Level Agreements
Service Reporting

3.1

Continuity / Availability Records

6.3

Budgeting and Accounting records

6.4

Capacity management records

6.5

Security Control records

Security Risk Assessment
Security Incident Reporting

6.6
6.6

Customer service review records

7.2

Supplier SLA's and service level target

reviews
Incident Records

*only core
system records

System Roles
*required

4.4
6.1
6.2

6.6

7.3
8.2

Problem records (known error database)

8.3

Configuration Management Database

9.1

Configuration Audit Results

Change Records
Release records

9.1
9.2

Management Representative
Business relationship manager
Supplier contract manager
Senior responsible owner
ISMR

10.1
3.1
7.2
7.3
-2, 3.1

-2, 6.6.6.

not at draft stage

approximately 50% (rough draft only)
60 - 80 % (developed draft, with limited records)
90 % + (limited revisions required)

Required ISO 20000 Documentation Summary

ISO System Mapping and Ownership
ISO 9001 or ISO 27001 clause

ISO 27001 4.2.1 Establish the ISMS; control

A 5.1.1

ISO 9001 Management Review 9.6; ISO

27001 Review 7
ISO 9001 Audit Requirements 8.2.2; ISO
27001 Audit Controls control 15.3.1

ISO 27001 Business Continuity Planning

controls 14.1.3, 14.1.4

ISO 9001 8.5.1 Continual Improvement;

ISO 27001 (same) 8.1

ISO 9001 Customer Communication 7.2.3

Probable Department
Ownership

ISO 9001 Customer Satisfaction 8.2.1

ISO 27001 Third party service review,
control A 10.2.2

ISO 27001 Change Management control A

10.1.2; Change Control Procedure A 12.5.1

ISO 9001 Control of Documents and

Records 4.2.2, 4.2.3; ISO 27001 4.3.2 and
4.3.3
ISO 9001 Internal Audit 8.2.2; ISO 27001 6

ISO 27001 Incident Responsibilities and

Procedures control A 13.2.1

ISO 27001 Change Management control A

10.1.2; Change Control Procedure A 12.5.1
ISO 27001 System acceptance control A
10.3.2

ISO 27001 Business Continuity controls A

14.1.1 - 14.1.5
ISO 27001 Capacity Management control A
10.3.1

ISO 9001 Scope 1; ISO 27001 Scope 1

ISO 27001 Establish the ISMS 4.2.1

ISO 9001 (same) 6.2.2; ISO 27001 (same)
5.2.2
ISO 9001 Compatability with other
management systems 0.4; ISO 27001
(same) 0.3

ation Summary
Standard clause detail
Description in clause
Establish the service management policy, objectives and plans
General policy

Budgeting and accounting for all components including IT assets shared resoursces
overheads externally supplied service people insurance and licences
Apportioning indirect costs and allocation direct costs to services
Effective financial control and authorization
Informatiion Security management
Configuration management
Change management, system should include standard, normal, and emergency
changes
Release management process
Plan service management
Monitoring measuring and reviewng
monitoring measuring and reviewing
Management of improvements
Planning and implementing new or changed services
Service continuity and availability management
Service continuity and availability management
Capacity management
Configutation mangement
Release management process

Management of improvements
Process requirements do not cover charging
For all components including IT assets, shared resources, overhead, externally
supplied services, people, insurance, and licenses
Apportioning indirect costs and allocation diret costs to services
Effective financial control and authorization
Business relationship management

Business relationship management

Supplier mangement
Supplier mangement
Supplier mangement
Supplier mangement
Supplier management
Incident mangement
Change management, requires formal approval of normal changes and a forward
schedule of changes
Release mangement process

Documentation requirements
Monitoring, measuring, and reviewing
Capacity management
Information security management
Incident management
Problem management
Configuration management
Configuration management
Change management
Release management process
Relates to Service Reporting and Business Relationship Management
Relates to Service Level Management and Business Relationship Management
Essentially Business Continuity Management with additional scope related to
availability

ISO 27001 system should cover all requirements

Relates to Service Level Management and Service Reporting
Must provide input to Problem Management
Must interrelate with Incident, Change, Problem, and Release management
processes

System can be limited in scope

Requirement to assess risks to service provision

Stated requirements are general
Guidance on integrating systems

Relates to risks to service management, form is not specified

Should integrate 9001 and 27001 procedures
Required for each service, targets are also required
Must relate to SLA targets
Contact list and BCM system test records
Charging not covered; monitoring and reporting costs against budgets is required;
requires interface with change mangement
Need to "monitor service capacity, tune service performance, and provide
adequate capacity"
Current Risk Treatment records are not complete
Should be updated at regular intervals
Security incident record keeping is not sufficient
Regular review meeting minutes would cover this requirement
Both regular review of the target performance and a general, annual review of
each supplier is required
Major incidents must be managed separately
All staff involved with incident resolution must have access to these
Must interrelate with Incident, Change, Problem, and Release management
processes
Recording deficiencies, corrective actions, and reporting is required
Requires classifications (ex: major, standard, routine, emergency)
Success and failure of releases must be assessed
plans policy and objectives
maintance a good relation service providor and customer
Contract and evidence documents
Relation in ISO 9001 and ISO 27001
Information Security Management

Company Reference Document Remarks