What is ISO/IEC 20000?
For many years the IT service management world lobbied the need for a standard, one which would complement those already in existence for business processes. Although many service providers had invested in the adoption of a service management framework, such as ITIL®, there was no real independent means where they could prove to be customer driven, be making continual service improvements and demonstrate integrated service management processes.
November 2000 saw the British Standards Institute (BSI) launch BS 15000. This introduced the concept of requirements for an ITSM quality management system in addition to the quality of separate IT service management processes.
In December 2005, BS 15000 was replaced by ISO/IEC 20000. The first international standard for IT service management was published by the International Organisation for Standardization (ISO). The standard initially comprised of two parts: ISO/IEC 20000-1, Specification of service management, a number of mandatory requirements which the service provider has to satisfy to achieve certification and ISO/IEC 20000-2, ‘Code of practice for service management,’ best practice recommendations and guidance on how to meet the requirements of the standard and achieve certification. Since 2000 we have seen the release of new parts of the standard and updates to existing parts. Currently available:
ISO/IEC 20000-1:2018 (Service management system requirements)
ISO/IEC 20000-2:2019 (Guidance on the application of service management systems)
ISO/IEC 20000-3:2019 (Guidance on scope definition and applicability of ISO/IEC 20000-1)
ISO/IEC 20000-4:2010 (Process reference model)
ISO/IEC TR 20000-5:2013 (Exemplar implementation plan for ISO/IEC 20000-1)
ISO/IEC 20000-6:2017 (Requirements for bodies providing audit and certification of service management systems)
ISO/IEC 20000-10:2018 (Concepts and vocabulary)
ISO/IEC TR 20000-11:2015 (Guidance on the relationship between ISO/IEC 20000-1 and service management frameworks: ITIL®)
ISO/IEC TR 20000-12:2016 (Guidance on the relationship between ISO/IEC 20000-1 and service management frameworks:CMM1-SVC)
Part 3 gives advice on scope definition, applicability and conformity assessment. Part 4 is a Technical Report which facilitates the development of a process assessment model. Part 5 is a Technical Report giving advice on the implementation plan for ISO/IEC 20000-1. Part 10 describes the core concepts of ISO/IEC 20000 and supporting parts. Part 11 provides guidance on the relationship between ISO/IEC 20000-1 :2011 and a commonly used service management framework ITIL®. Part 12 provides guidance on the relationship between ISI/IEC 20000-1:2011 and CMMI-SVC V1.3 (maturity levels 1 – 3)
Certification to ISO/IEC 20000 follows the successful audit by one of the Registered Certification Bodies (RCB), an independent body.
For those service provider organisations already working to one of the many service management frameworks, meeting the requirements of the standard shouldn’t involve that big an investment. For example, if you can demonstrate the following you’ll be meeting the ISO/IEC 20000-1 requirements for incident management.
- Are all incident logged?
- Is there a system in place for tracking, prioritising, escalating and formally closing incidents?
- Are customers informed before the SLA target is missed?
- Do incident management have access to known errors, problem resolutions and the CMDB?
- Is there a process for dealing with major incidents?
The above points should be done in context of an overall IT service management system.
- Senior management set policies, show commitment and review
Documents are controlled - Staff are competent, aware of their contribution and trained
- There are continual improvement activities
- Internal audits are scheduled and conducted
- There is integrated service management
For those service provider organisations contemplating ISO/IEC 20000 certification it’s worth noting that you don’t have to be perfect and the scope doesn’t have to include all services to all customers.
However, you do have to meet all the requirements of the standard. The service management system does have to be fit for purpose, consistent and continual improvements must be embedded within the organisation.