The future of the ISO/IEC

20000 series

Dr. Jenny Dugmore

Service Matters
18th March 2008

Certification audits and accreditation

(Management system standards)
International Accreditation Forum

Membership of IAF dependent on

uniformity of approach
National accreditation bodies

Assessment for
accreditation of a certification body
Guide 62
17021 / 19011

Certification bodies (audit companies)

Certification audit
against the standard

20000-1

Service providers

Where did ISO/IEC 20000 come from?

1989:BSI committee established
1995:Code of practice published
1998:Bigger and better code of practice published
2000:Part 1 Requirements published (BS 15000)
Part 2 Code of practice re-published
2001:Industry consultation on edition 1
2002:Edition 2 management system standard (BS 15000)
2004:October Fast track submission to ISO
2005:May - vote in favour / comment resolution
December published a ISO/IEC 20000-1 and -2
2006:May - Work Group 25 starts on new Part 3
2006:November - Work on 2nd edition of Part 1 starts
2007:November 4 more projects started

What is ISO/IEC 20000 today?

ISO best seller (thousands sold)

Used for 3rd Party certification audits

4 certification schemes accredited

itSMF registration scheme is market leader

Adopted internationally
Many organisations certified (hundreds)

Supported by training and qualifications

Including EXIN, ISEB, itSMF, IRCA/JIPDEC

Often referred to as The ITIL standard

Quality standard
to be aimed for

Part 1

Explains the
requirements

Part 2

Best practice
advice

ITIL best
practices

Local
documents

Certification
scheme

In-house procedures /
work instructions

BSI Selfassessment
workbook

How do the clauses fit together?

Manage Services
Management Responsibility

Business
requirements

PLAN
Plan service
management

Customer
requirements
Request for new
or changed services

Customer
Satisfaction

New and changed services

DO
Implement
Service
Management

ACT
Continual
Improvement

Other process,

business,
supplier, customer

Business
Results

New or changed
service
Other process,

CHECK

business,
supplier, customer

Monitor,
Monitor, Measure
Measure

Other Teams,
eg Security

and Review

Team & People

Satisfaction

The shall requirements (must do)

Leadership
Management

commitment

Policy
give management direction

Accountability
Top-down approach
Policy driven

Processes, support policies

what to do

Integrated processes
Intelligent use of metrics
Doing not documenting

Procedures, support processes

how to do it

How is ISO/IEC 20000 used today?

Standalone or combined audits
Common QMS (ISO 9001 & ISO/IEC 27001)

20000-2
Advice on
Part 2

20000-1

27001

9001

Guide 62 & ISO/IEC 17021

ISO 19011

Harmonisation and alignment

Terms
COBIT

Management IT security
system
ISO/IEC 27000
series
standards
Quality
management
ISO 9000 series
9001 for S/W

ITIL

Service
Management
ISO/IEC 20000 series

ISO/IEC 90003

17021
19011

S/W Asset
Management
(SAM)

S/W
Reference
Model

ISO/IEC 19770

ISO/IEC 12207

Governance
standards
(ISO/IEC 28015)
Process
assessment
model (SPICE)
ISO/IEC 15504

Systems
engineeri
ng
ISO/IEC 15288

Software & systems engineering

(process reference & process assessment)

ISO/IEC 20000-3:
advice on scoping, applicability, conformity assessment
8 words in Part 1
the scope of the service providers service management
Example / scenarios based advice
Out for vote results due May 2008

Single step approach

20000-1 requirements
20000-1 requirements

20000-2 guidance
on requirements
20000-3 scoping
& applicability

Changes being debated for Part 1 and Part 2

Closer alignment with ISO 9001 (Generic quality)
& ISO/IEC 27001 (Information security)
Re-structuring:
Clause 3 & 4 may be merged (management resp. & PDCA)
Dummy clauses 7.1 and 8.1 removed
Part 2 re-aligned to Part 1

Part 2
Better mapping to Part 1
Overall more detail

Some changes to reflect ITIL 3:

But ITIL 3 is closer to ISO/IEC 20000-1 than ITIL 2
Both ITIL 2 and ITIL 3 are suitable routes

Implication of ITIL 3 changes

The link between 20K and ITIL is of spirit and intent
There cannot be a formal link between the two
ITIL is a national (UK) initiative (from ISO perspective)
ITIL cannot be referenced in the 20000 series

Why is there flexibility?

ISO/IEC 20000-1 focus is on what to achieve
ITIL focus is advice on how to

ISO/IEC 20000-1
Very few changes to requirements planned or required for ITIL 3
Agreement to ITIL 3 terms being incorporated
(without reference to UK crown copyright)

ISO/IEC 20000-2
More substantial ITIL 3 type advice to be provided

OGC / BSI white paper due soon

A few random examples..

Configuration Management
Database (CMDB)
database containing all the
relevant details of each
configuration item and details of
the important relationships
between them

ITIL V3 uses
Configuration Management
System (CMS) as a set of
databases, tools used to manage
configuration data and data such
as incident, problem employee
data locations users.

CMS is not a new name for a CMDB. CMS may contain several CMDBs as
well as tools and a wide range of data types collected for many different
purposes.
The difference is not a barrier to achieving Part 1 the requirements

A few random examples..

Many international standards

refer to a broad-based category of
defects or similar terms.
ISO/IEC 20000:
Incidents
Problems

ITIL V3 draws a more detailed

distinction:

Events
Incidents
Problems.
Requests.

This is one of the differences between the two.

Confusion can be avoided when going the ITIL3 route
by mapping what has been done to clauses/processes in the standard
and the next edition may refer to request fulfilment

A few random examples..

9.1 Configuration management

NOTE: Financial asset accounting
falls outside the scope of this section.

ITL V3 refers to Service Asset

and Configuration Management
(also referred to as Service Asset
Management including Configuration
Management).

The term asset is used in a very

broad sense as either capabilities,
resources or both, depending on
the context.
ITIL V3 is different to both ITIL V2 and ISO/IEC 20000 (neither use the term Service
Asset). This is likely to be seen as one of the big differences, but does not present
an actual barrier to achieving the requirements of clause 6.4 or clause 9.1.
The use of the term service asset and how the role of service assets in service
management is compatible with a focus on service as well as process that is the
characteristic of the standard.

One (big) step v Incremental approach

20000-2 guidance
on requirements
20000-3 scoping
& applicability

Incremental approach

Single step approach

20000-1 requirements
20000-1 requirements

Stage 3 advice
Stage 2 advice
Stage 1 advice

Incremental stages
goal is Part 1requirements

ISO/IEC 20000-1
Stage 3
Stage 2

Stage 1
Chaos
Continual Improvement

Service
Management
System

Process Reference Model and

Process Assessment Model

PAM
15504-8

(SPICE)

20000-2 guidance
on requirements
20000-3 scoping
& applicability

Incremental approach

Single step approach

20000-1 requirements
Stage 3 advice
Stage 2 advice
Stage 1 advice

Conformity
assessment

PRM
20000-4

Process Reference Model (PRM)

& Process Assessment Model (PAM)
PRM defines processes as:
Purpose (very similar to Objective in 20000)
Outcome: the successful achievement of the process purpose
Defines basic maturity level

PAM defines process capability:

Assessment over a series of levels

SPICE assessment: similar to CMMi
More detailed than 20000-1 (typically 100+pages)
More prescriptive than 20000-1

Scope as for 20000-1:2005

Other initiatives

Mapping:
Standards
COBIT, ITIL

20000-2 guidance
on requirements
20000-3 scoping
& applicability

Incremental approach

Single step approach

20000-1 requirements
Stage 3 advice
Stage 2 advice
Stage 1 advice

PAM
15504-8

(SPICE)
Conformity
assessment

PRM
20000-4

Other initiatives
Advice for
Very Small Enterprises
on achieving the
requirements of
ISO/IEC 20000-1

Mapping:
Standards
COBIT, ITIL

20000-2 guidance
on requirements
20000-3 scoping
& applicability

Incremental approach

Single step approach

20000-1 requirements
Stage 3 advice
Stage 2 advice
Stage 1 advice

PAM
15504-8

(SPICE)
Conformity
assessment

PRM
20000-4

Summary 1to 2 year plan

2nd editions
Part 1:Requirements revision (9001 & ITIL alignment)
Part 2:6 m after Part 1 (longer & ITIL alignment)
New:
Part 3:Scoping/applicability advice (ballot underway)
Part n:Incremental conformity
Part 4:Process Reference Model (Purpose/Outcome)
15504-8: Process Assessment Model
CMMi / SPICE type mulit-level assessment

Mapping across standard/methods/frameworks

Continuing programme

Any questions?
Web sites
www.iso.org
www.jtc1-sc7.org
www.bsigroup.com
jenny.dugmore@service-matters.com

Why bother with the standard?

One standard fits all
Independent of products or organisational structure
Common basis for staff training
Common inter-enterprise operational practices
manage across a diverse environment
improved automation

Supply chain is understood and managed

Inter-changeability of service providers

Real proof of best practices

Minimising business risk greater flexibility
Delivers business benefits

Why ISO/IEC 20000?

a quick stroll round the International standards
committee structure

The standard is under the control of

representatives of national standards bodies (in
the UK, this is BSI)
ISO/IEC is named this way because it is under the
control of a joint international committee:
ISO (International Organization for Standardization)
IEC (International Electrotechnical Commission)

JTC1 = Joint Technical Committee 1

SC7 = Sub-Committee 7
Others include SC27 (IT Security)
WG = Working Group
SC7 includes many WGs, including WG 25

ISO standards are a separate stream

ISO

IEC

ISO/IEC JTC1

Sub-committees
Working Groups

Why ISO/IEC 20000?

a quick stroll round the International standards committee structure

ISO

IEC

ISO/IEC JTC1
SC 1

WG1A

SC 2

SC 3

WG 7 WG
WGnn

Governance
(may move)

SC n

SC 7

WG 10

SC 8

SC n

SC n

SC 27

SC n

WG
n
WG
WG
WG
WGnnn
WGnnn WG 25 WG
WGnn WG 21 WG
Service Management: 80 members, 20 National
Standards Bodies.
Liaison has been established or requested with itSMF
I, IAF, ISACA/ITGI (for COBIT) and other
International standards groups, TC 176 (ISO 9001),
JTC1/SC27 (ISO/IEC 27001, IT Security).

Where we are with service management standards

ISO/IEC
12207

ISO/IEC
15288

SC 7
WG 25

WG
10
SPICE

155048
ISO

Capability/maturity:
Previously only s/w
& sys engineering
(aligned with CMMi)

Active
group

Part 4
ISO
Active
group

Mappin
g
WG25
CAB
&
Active group

Editor:
Jyrki Lahnalati
Co-editor:
Antonio (Tony)
Editor:
Coletta
Beatrix Barafort
Co-editor:
Melanie Cheung

Editor:
Jenny Dugmore
Co-editors:
Marc Taillefer
WG 25 editors

Panel on
capability/maturit

Mapping
and CAB

Part n Part 3 Part 2

ISO Active
group

Editor:
Olivier Martin
Co-editors:
Luis Rosa
Alain Renault

ISO Active
group

Part 1

ISO Active
group

Editor:
Anita Myrberg
Co-editor:
Darcie Destito

ISO Active
group

Editor:
Lynda Cooper
Co-editor:
Tess Du Plessis

Editor:
Kenichiroh Yoshida
Co-editor:
Not yet appointed

Panel 1: Management system

20K as we know it but better