ISO20000 – how to achieve certification. • Summary ... in 1989. • ITIL defines 'best
practice' processes and procedures .... Document Management Procedures.
ISO20000: What it is and how it relates to ITIL v3 John DiMaria; Certified Six Sigma BB, HISP BSI Product Manager; ICT (ISMS,ITSM,BCM)
© 2006 BSI Management Systems All Rights Reserved
Objectives and Agenda To raise awareness, to inform and to enthuse • ISO20000 – what is it? • ISO20000 – how does it relate to ITIL3? • ISO20000 – why do you need it? • ISO20000 – how to achieve certification • Summary
© 2006 BSI Management Systems All Rights Reserved
-2-
ISO20000 – What is it?
ISO/IEC 20000 • Part 1 – Specification for Service Management ISO/IEC 20000-1: 2005 • Part 2 – Code of practice for Service Management ISO/IEC 20000-2:2005 ‘To promote the adoption of an integrated process approach to deliver managed services to meet the business and customer requirements’ ISO/IEC 20000-1:2005
© 2006 BSI Management Systems All Rights Reserved
-4-
Part 1 and Part 2 Audit is against part 1. Assess and Aim initially for minimum requirements – part 1; Use Part 2 for guidance and continuous improvement Part 1 – Specification
Part 2 – Code of Practice
• Management with appropriate authority shall approve an information security policy that shall be communicated to all relevant personnel and customers where appropriate.
• The service providers staff with information security roles should be conversant with BS7799 (ISO17799/ ISO27001).
© 2006 BSI Management Systems All Rights Reserved
-5-
History • UK Government launches IT Infrastructure Library (ITIL) in 1989 • ITIL defines ‘best practice’ processes and procedures • ITSMF formed in 1991 to further develop best practice • BSI Service Management committee develops a code of practice book and then a standard aligned to ITIL • BS 15000 first published in 2000 as a specification • Early adopters programme led to revised edition in 2002 • Certification scheme available from November 2003 • Adopted as ISO 20000 in December 2005 © 2006 BSI Management Systems All Rights Reserved
-6-
Product Fit ISO 20000
ISO 27001
ISO 9001:2000
© 2006 BSI Management Systems All Rights Reserved
-7-
Process mapped to organizational unit Organization
Operations and Network Management
Print and Mail
IT Manager
Office Automation and Telematics
Software Department
Project Organization
Process
© 2006 BSI Management Systems All Rights Reserved
-8-
Service Desk
Software Maintenance and Application Management
The world’s first IT service management process standard … that provides the industry with a standard that can be used for auditing and assessing internal service providers and external suppliers across the supply chain To help organizations provide a quality service and be cost effective via professional service management
Supplier A
Service Provider
Supplier B (Lead Supplier)
Supplier12 © 2006 BSI Management Systems All Rights Reserved
Scope of ISO 20000
Supplier23 -9-
Customer
ISO20000 Process Framework
© 2006 BSI Management Systems All Rights Reserved
- 10 -
Plan, Do, Check, Act Management System Manage Services Management Management Responsibility Responsibility
Business Business requirements requirements
PLAN PLAN Plan Plan service service management management
Customer Customer requirements requirements Request Request for for new new or changed services or changed services
Other Other process, process, business, business, supplier, supplier, customer customer
Customer Customer Satisfaction Satisfaction DO DO Implement Implement Service Service Management Management
ACT ACT Continuous Continuous Improvement Improvement
CHECK CHECK
Business Business Results Results
New New or or changed changed service service Other Other process, process, business, business, supplier, supplier, customer customer
Monitor, Monitor, Measure Measure
Other Other Teams, Teams, e.g. Security e.g. Security
© 2006 BSI Management Systems All Rights Reserved
Source: ISO 20000
and and Review Review
- 11 -
Team Team & & People People Satisfaction Satisfaction
ISO20000 – How does it relate to ITIL
IT Service Management Framework
© 2006 BSI Management Systems All Rights Reserved
- 13 -
ITIL® v3 Lifecycle Framework Governance Methods
&
Continual Service Improvement
Al ig nm en t
Spe cialt y To pics
s die Stu se Ca
Service Design Service Strategies
ITIL ITIL
ice erv l S nt ua eme in nt rov Co Imp
Service Transition
Co n Im tinu pr al ov Se em rv en ice t
on cti du ro Int ve uti ec Ex
St ud y
Templates
Service Operation
s in W ick Qu
Ai ds
Qualifications © 2006 BSI Management Systems All Rights Reserved
Sc ala bil ity
e dg e l w no K
St an da rd s
s ill k S
- 14 -
(c) Crown Copyright 2007 Reproduced under Licence from OGC
ITIL ® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office
Common processes across ISO20000 and ITIL v3 • Incident Management • Problem Management • Service Level Management • Service Reporting • Supplier Management • Capacity Management • Information Security Management • Change Management
© 2006 BSI Management Systems All Rights Reserved
- 15 -
Similar processes across ISO20000 and ITIL v3 • Release Management
Release and Deployment Management in ITIL v3
It additionally covers deployment approaches and knowledge transfer in more detail, and early life support
• Configuration Management
Service Asset and Configuration Management in ITIL v3 •
Manages service assets from acquisition to disposal
•
Provides a configuration model of services, assets and infrastructure, and their relationships
• Service Continuity and Availability Management
Two separate processes in ITIL v3
• Budgeting and Accounting for IT Services
Financial Management in ITIL v3
© 2006 BSI Management Systems All Rights Reserved
- 16 -
Processes within ISO20000 but not ITIL v3 • Business Relationship Management
This is mentioned briefly in the ITIL v3 Service Strategy book but is not expanded to be a process
Some elements such as Customer Satisfaction Survey and addressing complaints are covered in the ITIL3 SLM process
© 2006 BSI Management Systems All Rights Reserved
- 17 -
Functions ISO20000
ITIL v3
• None – ISO20000 is process based and does not cover functions
• Service Desk • IT Operations Management • Application Management • Technical Management
© 2006 BSI Management Systems All Rights Reserved
- 18 -
Roles ISO20000
ITIL v3
Top/Executive Management
not defined
Senior Responsible Owner
not defined
not defined
Service Owners
Process Owners
Process Owners/Managers
not defined
Functional Group Managers
Contract Managers Contract Managers Individual(s) responsible for customer satisfaction and the whole business Business Relationship Manager relationship process not defined
Product Manager
not defined
Service Design Manager
not defined
Chief Sourcing officer
© 2006 BSI Management Systems All Rights Reserved
- 19 -
Key Corresponding Documents ISO20000
ITIL v3
Service Improvement Policy
Continual Service Improvement Policy
Configuration Management Policy
Service Asset and Configuration Management Policies
Release Policy
Release Policy
Financial Policy
Financial Plans and Budgets
Information Security Policy
Information Security Policy
Service Level Agreements, Supporting Service Agreements and Contracts
Service Level Agreements, Operating Level Agreements and Contracts
Emergency Change Policy
Change Management Plans
Service Improvement Policy Plan for improving the service
Service Improvement Plans
Availability, Service Continuity, Capacity, Roll Out and Release Plans
Availability, IT Service Continuity, IT Recovery, Capacity and Release Plans
Documented Processes and Procedures
Appropriate Process Documentation
© 2006 BSI Management Systems All Rights Reserved
- 20 -
Other Key Documents ISO20000
ITIL v3
• Service Management Policy
• Stakeholder Management Strategy
• Service Management Plan
• Service Portfolio
• Definitions of Service Management Roles, Responsibilities and their competencies
• Service Design Package
• Framework of Management Roles and Responsibilities
• Test Strategy
• Plans for New and Changed Services
• Service Catalogue
• Document Management Procedures
• Reporting Policy
• Risk Management Approach
• Knowledge Management Strategy
• Methods for Monitoring and Measuring Processes
• Projected Service Outage
• Service Level Package
• Change Schedule
• Audit Procedure and Audit Plan • Complaints process • Security Controls • List of Stakeholders and Customers • Service Report Descriptions © 2006 BSI Management Systems All Rights Reserved
- 21 -
Mapping Summary ISO20000
ITIL v3
Standard and Code of Practice
Best Practice
Certification for a service provider
Qualifications for individuals
Definitive high-level requirements for processes and management system
Detailed Best Practice guidance, description and implementation aids
Organisational structure independent
Defines many function and process roles and responsibilities
13 processes; no functions, lifecycle not explicitly specified
26 processes and four functions documented in five lifecycle stages
Definitive set of required documents
Descriptions of key documentation
© 2006 BSI Management Systems All Rights Reserved
- 22 -
ISO20000 – Why do you need it?
Why do we need Service Management? • The Business is more and more dependent on IT • Complexity of Technology constantly Increases • Customers are demanding more for less • Global competitiveness growing at rapid rate requiring a more flexible approach to integration • Stronger focus on controlling costs of IT • Low customer satisfaction levels (Not surveys) • Information Governance Regulations • Customers have become services focused with a strong orientation related to service levels and costs. © 2006 BSI Management Systems All Rights Reserved
- 24 -
Drivers • Move from investing in tools to develop software to managing the quality of these systems and linked processes once they are “live” • The need to deliver cost effective service delivery • Lack of guidance and accepted standards • Raising the profile of the IT department • Government / ITIL / ISO20000 II nn vv ee ss tt m m ee nn tt
Revenue Revenue growth growth
Employee Employee retention retention
Internal Internal Services Services Quality Quality
Employee Employee satisfaction satisfaction
© 2006 BSI Management Systems All Rights Reserved
Value Value for for customers customers
Employee Employee productivity productivity
- 25 -
Customer Customer satisfaction satisfaction
Customer Customer loyalty loyalty
Profitability Profitability
Drivers to achieving certification to ISO20000 External service providers
Generic drivers for all
• ISO20000 is becoming a basic bid requirement especially for IT Service Providers, in the same way as ISO9000 ten years ago
• Hard evidence that Quality of ITSM is taken seriously
• Gives confidence to customers in selecting an external service provider who is ISO20000 certified
• Enforces a method of review and assessment linked to continuous improvement
• Provides a competitive edge
• Staff morale boosted by working in a controlled environment
Internal service providers
• Enforces process compliance by turning the “shoulds” into “shalls” so that all the benefits of best practice ITSM will be gained
• Significant milestone for an IT department demonstrating professionalism that has been independently certified
© 2006 BSI Management Systems All Rights Reserved
• Supports the business to operate more effectively
- 26 -
Certification to ISO 20000 • ISO 20000 is increasingly seen as the quality standard for IT Service Management • Many companies striving to adopt for its benefits to them and to also help qualify and choose suppliers and partner organizations • Only a formal certification scheme provides independent verification of compliance • Raises internal profile
© 2006 BSI Management Systems All Rights Reserved
- 27 -
Gartner view of ISO20000 - 2006 By 2008 ITIL Compliance will be a buying criteria in 75% of relevant IT sourcing decisions (0.8 probability) By year end 2008 at least 60% public sector and at least 30% private sector relevant IT sourcing deals in mature ICT economies will demand ISO/IEC 20000 certification in their RFPs (0.6 probability)
© 2006 BSI Management Systems All Rights Reserved
- 28 -
Samsung Case Study Benefits • Verification of IT services delivery meeting the needs of our topnotch customers • 37.5% reduction in operational problems through proactive problem management • Paradigm shift on IT service management from the technology-centered to the customeroriented • Demonstrating strengths as a strategic partner in IT outsourcing market both internally and externally
© 2006 BSI Management Systems All Rights Reserved
- 29 -
ISO20000 – How to achieve certification
Implementing Service Management Some of the biggest challenges IT teams face when implementing Service Management include: 1) getting the attention and commitment of senior management and 2) ensuring acceptance and adoption of managed change throughout the organization.
© 2006 BSI Management Systems All Rights Reserved
- 31 -
Implementing Service Management Service Improvement Program
Preparation
What is the vision? What are our objectives?
© 2006 BSI Management Systems All Rights Reserved
Assessment
Implementation
Are we there? Where are we now? Where do we want to be? How do we get there?
- 32 -
Implementing Service Management
Preparation
© 2006 BSI Management Systems All Rights Reserved
Assessment
- 33 -
Implementation
Preparing for ISO20000
© 2006 BSI Management Systems All Rights Reserved
- 34 -
Planning and Business case • Use gap analysis to plan way forward including quick wins • Costs:
Auditors
Internal staff involvement
External consultancy
Training
Tools
• Benefits:
Quantifiable – service improvements, staff savings, cost savings and control, holding onto contracts, winning contracts if requirement of bids, taking on more services with same staff numbers etc
Non-quantifiable – quality improvements, competitive edge, staff morale, customer satisfaction etc
© 2006 BSI Management Systems All Rights Reserved
- 35 -
Establish Management System and Processes • Use a process approach to implementation • Examine each key component in the process • Examine issues • Compare current status VS requirements • Take action on the differences and improve
Process ownership • R esponsibility • A uthority • S kills • A ccountability • R ecognition The RASAR’s edge
• Organizational skills assessment and training plan • Use a specified case study as guidance © 2006 BSI Management Systems All Rights Reserved
- 36 -
Certification Assessment Stages • Pre- audit assessment (optional) • Documentation Assessment • Compliance Assessment
Pre-certification
Certification Body Issues Certificate
• Continuing Assessment • Triennial Re-assessment
© 2006 BSI Management Systems All Rights Reserved
Post-certification
- 37 -
Common Pit Falls to implementation 1.
Existing processes & procedures did not always align
2.
Some processes did NOT exist, others not being used
3.
Some staff did not really understand the difference between process & procedure
4.
Implementation resource – staff still had to do their “day job”
5.
Staff reluctant to admit if they don’t know or understand requirements
6.
Scope creep
7.
Not EVERYTHING recorded or measured, especially performance of identified improvements
8.
Concentration on tools rather than process implementation
© 2006 BSI Management Systems All Rights Reserved
- 38 -
How long will it take? • For a company who has not yet implemented ITIL
Approx. 18 months
• For a company who has implemented ITIL well
Approx. 9 months
• Remember that once the processes are designed and documented, they need to be rolled out and run for about 3 months before being audited to prove compliance
© 2006 BSI Management Systems All Rights Reserved
- 39 -
Summary
Qualifications • ISO20000 consultant (ITSMF)
3 day course examining part 1, part 2 and the certification process
Pre-requisite is ITIL Foundation + 5 years relevant IT experience
• ISO20000 auditor (ITSMF)
2 day course examining part 1 in detail with an overview of part 2 and the certification process
Pre-requisite is ISO9000/ISO27001/TickIT certified auditor or certified internal auditor
• Service Quality Management Foundation (EXIN)
3 day course examining part 1, part 2 and the quality management systems in ISO9000
Pre-requisite is IT Service Management experience, preferably the ITIL Foundation
• Many training providers offer non-accredited courses including awareness, planning to implement ISO20000
© 2006 BSI Management Systems All Rights Reserved
- 41 -
ISO 20000 Publicly AvaliableTraining • Understanding ISO 20000:2005 1 Day • ISO 20000:2005 - Internal Auditor course 3 Days • Implementing ISO 20000:2005 2 Days • Lead Auditor ISO 20000:2005 • 5 Days – Expected Launch October 2007 © 2006 BSI Management Systems All Rights Reserved
- 42 -
ISO20000 Certified Organizations • 161 Certified Organizations at April 2007 • External:Internal service provider ratio is approx. 2:1
© 2006 BSI Management Systems All Rights Reserved
- 43 -
ISO 20000 – The Future • Businesses are beginning to demonstrate increasing demand for ISO 20000-1:2005 certification • Certification will become a key market differentiator and pivotal in the selection of supplier and partner organizations. • Because of it’s strong structure and ability to show ROI, ISO 20000 will be THE frame work of choice for IT Service Management. • The standard itself will evolve to aid clarity, respond to feedback and align with ITIL3
© 2006 BSI Management Systems All Rights Reserved
- 44 -
References • ISO/IEC 20000
www.iso.org
www.bsi-global.com
www.ansi.org
• ISO20000 pocket guide
www.itsmf.com
• BSI: Achieving ISO20000 series • BSI: A managers guide to service management • BSI: Self assessment workbook
www.bsi-global.com
• ITSMF Certification scheme
www.isoiec20000certification.com
© 2006 BSI Management Systems All Rights Reserved
- 45 -
Thank You
[email protected] 314-831-7835
[email protected] www.bsiamericas.com 703-437-9000
© 2006 BSI Management Systems All Rights Reserved
- 46 -