IRCA Briefing note ISO/IEC 20000-1: 2011

How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000

Contents
Introduction Summary of the changes within ISO/IEC 20000-1:2011 Overview Detail review 1. 2. 3. 4. 5. 6. 7. 8. 9. Scope Normative references Terms and definitions Service management system general requirements Design and transition of new or changed services Service delivery processes Relationship processes Resolution processes Control processes 3 3 3 4 4 4 4 4 5 5 6 6 6-7 8

Appendix A

Copyright IRCA 2012

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certificated Auditors (IRCA). WWW.IRCA.ORG Page 2 of 9

IRCA Briefing note: ISO/IEC 20000:2011

Introduction The International Register of Certificated Auditors (IRCA) has prepared this briefing note to communicate to IRCA Certificated Auditors, IRCA Approved Training Organizations and other interested parties our understanding of ISO/IEC 20000-1:2011. The content of this briefing note is provided in good faith and is the opinion of IRCA. It should not be reproduced nor used for commercial purposes. IRCA Certificated Auditors and IRCA Approved Training Organizations are advised to familiarise themselves with ISO/IEC 20000-1:2011. The provision of IT services and the development of their underpinning Service Management Systems (SMS) has evolved considerably since the original standard was published in 2005. The sector has evolved from provision of internal corporate IT systems and bespoke outsourcing of corporate IT systems toward one that embraces consumerization and offers provision of more generic, utility IT services. Practices and methodologies such as ITIL have evolved alongside those developments. ISO/IEC 20000-1:2011 requirements and conformance controls have similarly changed to accommodate that. The 2011 revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems Requirements and ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements, improving and enabling an integrated, process-based approach across disciplines as part of a business management system. Some may view the modifications of ISO/IEC 200001:2011 as a substantial change. Others may think it largely captures good practices already implemented. IRCAs view is that publication of ISO/IEC 20000-1:2011 provides organizations implementing IT Service Management Systems and organizations needing to conduct audits of IT Service Management Systems an opportunity to re-assess their own practices and identify improvement opportunities. Overview A principal constraint of ISO 20000-1:2005 when implementing or assessing the conformance of an IT Service Management System (ITSMS) was the number of mandated processes; these were often worded such that they required auditor interpretation and agreement with the auditee. Throughout ISO/IEC 20000-1:2011 many of these process requirements are replaced with explicitly mandated documented procedures. Many are extended with prescribed minimum attributes that improve clarity of review, understanding of intent and support conforming implementation. As an indicator of the extent of changes to conformance requirements it is interesting to note that: ISO 20000-1:2005 had 171 shall statements ISO 20000-1:2011 has 257 shall statements (+50% approximately). The revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems and ISO/IEC 27001:2005 Information security management systems. Auditors and assessors with experience of these standards will be familiar with the common themes and terminology. However those with experience only of ISO 20000-1:2005 may need to carefully review the current standard to ensure an appropriate understanding of revised conformance requirements.

WWW.IRCA.ORG

Page 3 of 9

Detail review Many clauses of ISO 20000-1:2005 began with a statement of the objective of that clause (though not clauses titled General or Background). These have been removed and do not appear in ISO/IEC 20000-1:2011. 1. Scope It is this section that confirms the applicability of the standard to the whole service management system lifecycle. The general use cases described in 1.1 a) to f ) are derived and developed from those in ISO 20000-1:2005 to clarify the perspectives of the service provider, the organization seeking services from a provider and the assessor or auditor of conformity. Figure 2 the Service Management System diagram promotes a more consistent view of the relationship of elements of ISO/IEC 20000-1:2011. Most notably, the relationship with customers and other stakeholders is added. The service management system requirements and design and transition of new or changed services are added as layers in the diagram to demonstrate their context and relationship with service delivery, resolution, relationship and control processes. Also of note, release and deployment management is subsumed into the category of control processes. Clause 1.2 Application is added documenting further clarification of requirements for conformance. Here it is acknowledged that parts of the service delivery (clauses 5 to 9) may be provided by other parties and that evidence of process governance from these sources is admissible. However, it is emphasised that service management responsibility, governance of other parties involved in service provision, documentation management, resource management and service establishment and improvement defined in clause 4 must be evidenced only by the service provider. No part of that clause may be delegated or contracted to another party. ISO/IEC TR 20000-3 provides additional guidance on scope definition and applicability including further explanation about the governance of processes operated by other parties. 2. Normative references This empty clause is added only for the purpose of clause numbering alignment with ISO/IEC 20000-2. 3. Terms and definitions As would be expected from a technical revision, there are now 37 defined terms in ISO /IEC 20000-1:2011 compared with the 15 listed in ISO 20000-1:2005. Many of the additional terms are adopted or adapted from ISO 9000:2005 Quality management systems Fundamentals and vocabulary, ISO 27000:2009 Information technology Security techniques Information security management systems Overview and vocabulary and others are consistent with ITIL v3 (although ISO/IEC 20000-1:2011 is independent of any specific implementation methodology). For example, clause 3.11 defines information security as preservation of confidentiality, integrity and accessibility of information Accessibility is inconsistent with ISO . 27000:2009 which uses the term availability however ,
WWW.IRCA.ORG

accessibility is used here to avoid conflict with the existing ISO/IEC 20000-1:2011 definition of [IT service] availability as per clause 3.1 of this standard. The improved consistency of terms used with other management systems standards is a welcome assistance enabling an integrated, process-based approach across disciplines. However before undertaking a conformity assessment, care is needed to thoroughly review the defined terms to ensure a common understanding of the idiosyncrasies of some adapted terms. 4. Service management system general requirements The use of clause 4 to define management system requirements reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 and ISO/ IEC 27001:2005. Clause 4 of this standard is an extensive redevelopment of clauses 3 and 4 of ISO 20000-1:2005, transferring the mature management system principles established by ISO 9001 into this standard. It is not a like-for-like adoption, however; while the requirements and terminology may be familiar, clause 4 of this standard amalgamates equivalent elements from a number of ISO 9001 (and, similarly, ISO 27001) clauses as outlined in Appendix A. 4.1 Management responsibility is a thorough re-work of ISO 20000-1:2005 clause 3.1, introducing a number of additional requirements. Top management commitment, policy management, authority and responsibility are specified and the requirements of the Management Representative are defined in more detail. ISO 20000-1:2005 required mutual agreement of interpretation of the term supplier when assessing conformance of service delivery dependencies through the supplier management clause (supplier was not a defined term in that standard, although clause 7.2 Figure 3 indicated an intention to consider only external suppliers). ISO/IEC 20000-1:2011 introduces clause 4.2 Governance of processes operated by other parties to acknowledge and clarify the range of parties involved in contributing to successful service delivery (internal service provider groups, external suppliers or customer contributions). Further, you will recall from clause 1.2 that a service provider cannot rely on evidence of the governance of processes operated by other parties for the requirements in Clause 4: Conformance now requires the service provider to demonstrate both an awareness of the range of service delivery dependencies and governance of those concerns. ISO/IEC TR 20000-3 provides further guidance about the governance of processes operated by other parties. Clause 4.3 Documentation management defines a more prescribed documentation set for the SMS and introduces formalised document and record controls. A notable addition is the explicit requirement to document a catalogue of services as a separate and distinct document from the Service Level Agreement (SLA); this foundation document is referred to again in support of service design and its purpose clarified in clause 6.1 Service level management. 4.4 Resource management clarifies the SMS definition of
Page 4 of 9

resources (omitted from clause 2) as human, technical, information and financial resources with the conformance requirements for determination and provision of these. 4.5 Service management system planning and implementation, derived from ISO 20000-1:2005 clause 4, has been re-worked in this standard. While the principles and structural outline have been maintained, there are numerous detailed requirement changes throughout which remove many points of ambiguity and interpretation and enable improved consistency of application. For example, the service management plan shall now contain or reference... ..statutory and regulatory requirements... and ...criteria for accepting risks analogous to ISO 27001 information security , management system control requirements. Due to the broad and detailed redevelopment, a thorough review of clause 4 is required to become familiar with and understand the revised and new conformance requirements. 5. Design and transition of new or changed services Practices and requirements defined by ISO 20000-1:2005 clause 5 have been reworked and expanded to create clause 5 in this standard. Clause 5.1 re-emphasises change management as the prime controlling process. While acknowledging that the planning and design of new or changed services may result in some proposed changes that are rejected, the clause makes clear that the service provider shall take necessary actions to ensure that the remaining accepted changes are sufficient to perform the new or changed service effectively (an indirect conformance requirement for post-change effectiveness monitoring and review that is made more explicitly in clause 9.2). Clauses 5.2 and 5.3 list quite comprehensive requirements for planning, design and development of new or changed services including specific requirements for services that are to be removed (mothballed, closed or retired) and due diligence of dependencies with other parties contributing to the provision of service components. 5.4 Transition of new or changed services redefines requirements for pre-deployment service testing against service provider and stakeholder pre-agreed acceptance criteria, use of the revised release and deployment control process to migrate the service into the live environment and a post-deployment review against expected outcomes. 6. Service delivery processes The overall structure and purpose of this clause remains unchanged. However, a detailed review reveals many additional conformance requirements where ISO 200001:2005 statements have been clarified and refined. More significant changes are outlined below. There are two notable changes to clause 6.1 Service level management. The first change updates the ISO 20000-1:2005 requirement that each service was to be defined, agreed and documented in one or more SLAs. ISO/IEC 20000-1:2011 recognises
WWW.IRCA.ORG

that a customer may contract a portfolio of IT services from a provider and that these shall now be be defined in a catalogue of services for that customer that includes the dependencies between services and service components This . is then supplemented with one or more SLAs for each of the services being delivered. The other change echoes Governance of processes operated by other parties (clause 4.2): Distinct from supplier management (addressed later in clause 7.2), the final paragraph of clause 6.1 mandates governance requirements for service components provided by an internal group or the customer . Clause 6.2 Service reporting is broadly unchanged in principle, however the conformance requirements for service report context and content is more prescribed. 6.3 Service continuity and availability management has been expanded and logically restructured into three subclauses with clarified conformance requirements as follows. Clause 6.3.1 Service continuity and availability requirements re-emphasises risk assessment of service continuity and availability as the first step in identifying and agreeing requirements with the customer and other interested parties. However in assessing the conformance of a service provider that delivers a standardised service to a range of customers, the continuity and availability of that service would be risk-assessed and service level targets committed as part of the pre-contract service specification and SLA offered to those customers. The commercial contract would then constitute customer agreement to those prescribed continuity and availability commitments. 6.3.2 Service continuity and availability plans does not continue the former requirement to ensure that requirements are met as agreed in all circumstances as that contradicted the risk-based nature of service continuity and availability management. The clause does prescribe service continuity plan and service availability plan content, with the note that these plans may be combined into one document. 6.3.3 Service continuity and availability monitoring and testing drops the requirement to review the plans at least annually; This standard takes an event-driven approach to mandate review after testing the plans or after invoking the service continuity plan. As previously, Service continuity and availability plans shall be re-tested after major changes to the service environment Further, the tests are to be conducted . against continuity and availability requirements, results recorded and reviewed, necessary actions taken and the result of those actions reported. 6.4 Budgeting and accounting for services remains broadly unchanged although the revised layout and wording aids clarification. One notable addition is the requirement for a defined interface between the budgeting and accounting for services process and other financial management processes . Similarly, 6.5 Capacity management generally replicates the previous version of the standard, though again there are subtle changes. The scope of resources to be managed
Page 5 of 9

is explicitly listed as human, technical, information and financial resources Further, there is a subtle change of . wording that mandates the required outcome: ISO 20000-1:2005 stated that Methods, procedures and techniques shall be identified to monitor service capacity, tune service performance and provide adequate capacity. An arguable interpretation of this statement is that the provider could identify methods, procedures and techniques without actually committing to use these to provide adequate capacity . ISO/IEC 20000-1:2011 requires quite unambiguously that The service provider shall provide sufficient capacity to fulfil agreed capacity and performance requirements . 6.6 Information security management has been reworked to improve alignment with the requirements of ISO 27001. It has been divided into clauses covering information security policy, [risk] controls and change and incident management. The new policy and control requirements, although lightweight compared with ISO 27001, are more prescriptive than the previous version of this standard and may challenge some organizations that have not implemented an information security management system conforming to ISO 27001. In comparison, 6.6.3 Information security changes and incidents should be less challenging as this generally replicates the requirements of the previous version of this standard to integrate information security management into existing change management, incident management and improvement processes. 7. Relationship processes The overall structure and content of this clause remains unchanged, though there are some detailed changes. 7.1 Business relationship management has more focus upon the customer and is less prescriptive about the relationship with other stakeholders. The annual service review specified in ISO 20000-1:2005 has been replaced in this standard by the requirement for an unspecified communication mechanism enabling a variety , of arrangements from an annual review to a continuous, on-demand review tailored to business requirements. The purpose of this communication is defined, though the wording is a little ambiguous; a reasonable interpretation is recommended as to promote [mutual] understanding of the business environment in which the services operate and requirements for new or changed services This would enable, . for example: the service provider to remain aware of the customers business and operational environment and requirements for change arising from the customer, and the service provider to respond to changes in their own strategic and commercial environment and improve, adjust or replace elements of a generic service provided to a number of customers. Whilst the requirements for management of customer complaints remains unchanged, customer satisfaction now takes a pragmatic view and enables measurements and
WWW.IRCA.ORG

analysis based on a representative sample of the customers and users of the services . 7.2 Supplier management now documents a prescriptive list of elements that must be included or referenced in a supplier contract. The annual major review of the [supplier] contract or formal agreement specified in ISO 20000-1:2005 has been replaced with the more passive requirement to monitor the performance of the supplier at planned intervals . Of particular note are the replacement of two process requirements with: the requirement for the supplier contract to define or reference activities and responsibilities for termination of the contract and the transfer of services to a different party , ensuring that this is proactively addressed and documented before the need for transfer or termination arises, and the requirement for a documented procedure to manage contractual disputes . 8. Resolution processes 8.1 Incident and service request management acknowledges contemporary practice in many organizations to process incident reports and service change requests through one customer-facing unit and one common process; in this standard, the administration of service requests is lifted out of the Change management clause and placed here. The standard requires the incident and service request management process to be defined by two separate documented procedures for incident and service request lifecycle management from recording to closure. Information to be made available to personnel performing the process is prescribed and includes information from the Release and deployment management process. The final paragraph prescribes how Major incidents are now to be managed using a documented procedure. 8.2 Problem management remains broadly unchanged although the revised layout and wording aids clarity. One notable improvement is the explicit acknowledgement that not all problems are permanently resolvable; commercial, technical or external constraints may prevent that from happening. The clause now states that where the root cause has been identified, but the problem has not been permanently resolved, the service provider shall identify actions to reduce or eliminate the impact of the problem on the services. 9. Control processes Configuration and change management clauses are significantly more prescriptive in this version of the standard. 9.1 Configuration management requirement changes include: minimum mandatory asset information fields for each CI in the CMDB, a documented procedure for recording, controlling and tracking versions of CIs that incorporates asset-risk-based control, master copies of CIs recorded in the CMDB shall be stored
Page 6 of 9

in secure physical or electronic libraries referenced by the configuration records, audit of the records stored in the CMDB at planned intervals. 9.2 Change management requirement changes include: minimum change management policy content, Removal or transfer of a service shall be classified as a change to a service with the potential to have a major impact, a documented procedure to record, classify, assess and approve requests for change, a documented procedure for managing emergency changes. The requirements to manage requests for change are similarly more robust as follows: Requests for change classified as having the potential to have a major impact on the services or the customer shall be managed using the design and transition of new or changed services process. All other requests for change to CIs defined in the change management policy shall be managed using the change management process. The service provider and interested parties shall make decisions on the acceptance of requests for change The activities required to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. The service provider shall review changes for effectiveness (ISO 20000-1:2005 required only that changes shall be reviewed for success). 9.3 Release and deployment management, now recognised as a control process, has an overall purpose and content that remains unchanged, although there are some detailed changes. Notable additional requirements are as follows. There is now an explicit requirement to coordinate the deployment plan with the change management process and include references to the related requests for change, known errors and problems which are being closed through the release. Planning must also include the dates for deployment of each release, the associated deliverables and intended methods of deployment. The definition of an emergency release must be documented and the release managed according to a documented procedure that interfaces to the emergency change procedure. For each release, acceptance criteria for the release must be agreed with the customer and interested parties. Prior to deployment, the release must be verified against the agreed acceptance criteria and approved. If the criteria are not met, the customer and interested parties must be involved in the decision about what actions are necessary to proceed.

WWW.IRCA.ORG

Page 7 of 9

Appendix A Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001.

ISO 20000:2011 4.1 Management responsibility 4.1.1 Management commitment 4.1.2 Service management policy 4.1.3 Authority, responsibility and communication

ISO 9001:2008 5 Management responsibility 5.1 Management commitment 5.3 Quality policy 5.5 Responsibility, authority and communication

ISO 27001:2005 5 Management responsibility 5.1 Management commitment 4.2.1 b) Define an ISMS policy... 5.1 c) establishing roles and responsibilities for information security and Annex A control1 A.6.1.2 (approximate correlation) 5.1 c) establishing roles and responsibilities for information security and Annex A controls1 A.6.1.1 & A.6.1.2 (approximate correlation) Numerous Annex A controls1 , particularly A.6.1.2 to A.6.1.6 and A.6.2 (approximate correlation) 4.3 Documentation requirements 4.3.1 General 4.3.2 Control of documents 4.3.3 Control of records 5.2 Resource management 5.2.1 Provision of resources 5.2.2 Training, awareness and competence 4.2 Establishing and managing the ISMS 4.2.1 a) Define the scope and boundaries of the ISMS 4.2.1 b) Define an ISMS policy, through to j) Prepare a Statement of Applicability (approximate correlation) 4.2.2 Implement and operate the ISMS 4.2.3 Monitor and review the ISMS 4.2.3 Monitor and review the ISMS 6 Internal ISMS audits 7 Management review of the ISMS 8 ISMS improvement 8.1 Continual improvement 7 Management review of the ISMS, supplemented by 4.2.1 d) Identify the risks to i) Obtain management authorization (approximate correlation)

4.1.4 Management representative

5.5.2 Management representative

4.2 Governance of processes operated by other parties 4.3 Documentation management 4.3.1 Establish and maintain documents 4.3.2 Control of documents 4.3.3 Control of records 4.4 Resource management 4.4.1 Provision of resources 4.4.2 Human resources 4.5 Establish and improve the SMS 4.5.1 Define scope 4.5.2 Plan the SMS (Plan)

7.4 Purchasing (approximate correlation) 4.2 Documentation requirements 4.2.1 General 4.2.3 Control of documents 4.2.4 Control of records 6 Resource management 6.1 Provision of resources 6.2 Human resources Numerous references (as below) 4.4.2 a) Quality manual QMS scope definition 5.4.2 Quality management system planning 4.1 General requirements (approximate correlation) 5.6 Management review 8.1 Measurement, analysis and improvement - general 8.2.2 Internal audit 5.6 Management review 8.5 Improvement 8.5.1 Continual improvement 5.6 Management review

4.5.3 Implement and operate the SMS (Do) 4.5.4 Monitor and review the SMS (Check) 4.5.4.1 General 4.5.4.2 Internal audit 4.5.4.3 Management review 4.5.5 Maintain and improve the SMS (Act) 4.5.5.1 General 4.5.5.2 Management of improvements

1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defined scope of the Information Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defined in A.6.1.

WWW.IRCA.ORG

Page 8 of 9

International Register of Certificated Auditors (IRCA) 2nd Floor North Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom Email: irca@irca.org Tel: +44 (0) 20 7245 6833 Fax: +44 (0) 20 7245 6755
WWW.IRCA.ORG