- Service Management System
- Design and Transition
- Service Delivery Processes
- Relationship Processes
- Resolution Processes
- Control Processes
The aim of the ISO/IEC 20000 standard is to provide a common reference standard for all companies that deliver IT services for internal or external clients. One of its other objectives is to promote a common terminology which makes an important contribution towards communication between service provider, supplier and customer.
The standard will also adopt the integrated process approach from the service management framework of ITIL®. These processes are contained within a process model, forming part of the quality management system and providing an important aid in communication with the customers (users) as well as within the IT. The process model illustrates which processes control, support and continually improve service delivery.
ISO/IEC 20000 is coordinated with the IT Infrastructure Library (ITIL®). ITIL® is a collection of best practices to which a service provider can align itself so it can deliver high quality services. ISO/IEC 20000 represents the quality benchmark. ITIL® therefore supports the service provider along this route.
The ISO/IEC 20000 standard comprises two parts:
ISO/IEC 20000 Part 1: Specification for Service Management
This formal specification defines the requirements of an organization and the management system for delivering managed services at a level of quality acceptable to the customer. In this respect it is irrelevant as to whether this is an internal or external customer.
ISO/IEC 20000 Part 2: Code of Practice for Service Management
This part represents a Code of Practice and describes the optimum experiences achieved with service management processes within the scope of ISO/IEC20000-1. This Code of Practice is useful in particular for organizations who wish to prepare for an audit and the certificate in accordance with ISO/IEC20000-1 or who are planning fundamental improvements in their services.
Service Management System
The first process group of the ISO/IEC 20000 standard defines the bases and principles for successful implementation of the management system. This follows the objective of providing a management system taking into account basic principles and structures in order to facilitate a properly coordinated management and effective implementation of IT services.
One prerequisite for this is a customer and process-orientated method of working in all areas of information technology. This necessary cultural change cannot simply be demanded of the employees but instead must receive the active support and encouragement of the management which must lead by example.
Under ISO 20000 the IT strategy is particularly important for these IT service management disciplines for which the senior management is responsible. In addition, the striving for continual improvement in all IT areas must be decreed as a binding guideline and consistently implemented.
The objective is to embed and therefore secure the responsibilities for implementing the service management system within the service provider’s senior management level.
To enable these obligations to be met the responsibility for the service management system must be delegated to a member of the Management Board is responsible for implementation and has sufficient expertise for this task. Ideally this person will receive support from a management group that will help in the decision-making process. The defined service manager is therefore also the owner of the entire service management system.
The service provider must supply documents and records on the support given to the management process. This is intended to ensure effective planning, operation and monitoring of the service management processes.
A process must be installed for document and record production and management. The documents are the foundation and basis for verification that the service management guidelines are being adhered to.
A fundamental distinction must be drawn between two key elements
- Documents which record the management’s plans and intentions.
- Records that testify to the implementation.
It should be explained that service management exists not only on paper but is also actually practiced in all processes. Proof of this must be provided in an integrated form. It is the responsibility of the management to ensure that the basic principles and all processes are:
- regularly reviewed and
Descriptive documents and corresponding records are required for this purpose.
Expertise and Training
Management and employees must be aware of the relevance and importance of their activities within the service management and understand how they contribute towards achieving the quality targets.
Corresponding expertise and skills must be available in order to ensure that the requirements for new or modified services can be met.
The dynamic, continuing advances in technology require on-going education and further training for the employees who should be managed via coordinated skills management. As part of the annual target agreement discussions and the targets derived from the service management planning, the training requirement for the employees to meet future requirements is determined on the basis of a consistent analysis of any shortfalls and condensed into an annual training plan. The effectiveness of training measures must be reviewed.
In order to determine the specific demand the service provider first defines the specific skills required for each role in the service management. Detailed records must be kept on the education and training courses completed by each employee together with their acquired knowledge and experience.
Planning and Implementation of Service Management – Overview
In the planning and implementation of the service management account must be taken of the decisions made (targets), processes and defined responsibilities. A Quality Management System (QA) forms the basis for this. The development of a QA system is a demanding task and requires understanding of the purpose, guidelines and targets as well as the processes involved. This interrelationship is known as “Planning and Implementation of the Service Management”.
The Deming cycle (Plan-Do-Check-Act) must be embedded within the organization. In this context it is important to document the successful application of this model. The output of each activity simultaneously represents the input for the next activity. The feedback between the processes is presented consistently and in transparent form.
It is important for the service management employees to be well-versed in the basic principles of service quality, the service management processes as well as their own personal contribution. This principle ensures that measures can be taken at any time in order to increase the effectiveness and efficiency of the service delivery.
When implementing and reviewing the service management processes the requirements under this section must be applied not only for the management system as a whole but also for each individual process in the ISO 20000 management system.
Plan, Do, Check & Act
The objective of this process is the planning of the implementation and provision of the service management system.
The successful implementation of these plans requires clear management instructions and documented responsibilities for the review, approval, communication, implementation and updating of the plans.
All plans specific to a process must conform to the superordinate service management plan.
The objective of this process is to embed the service management targets and the service management plan.
Once the service management plan or process plans have been implemented the task then is to concentrate on the operation and continual optimization of the service management processes. We have seen in practice that the employees responsible for implementation need to be replaced by other suitable employees for the task of continuous operation.
The task here is to monitor and measure as well as review the attainment of the service management objectives and service management plan. In this context, reviews must be planned and carried out at regular intervals, at least annually.
The results of the review and testing are used as an input for the next step, “Act”, in the Deming cycle. The aim of this is to achieve an improvement in the service processes.
The management must firmly establish and communicate a basic principle that contains a clear definition of the roles and responsibilities (CSI owner) for improving service activities.
Any aspects that do not conform to the service management plans must be eliminated. A service improvement plan must be drawn up for dealing with all proposed service improvements.
Improvements to the individual processes can be managed by the respective process owner. More extensive improvements – such as for example rectifying non-conformities which extend throughout the company or improvements in more than one process – must be carried out within the framework of one or more projects.
Prior to the implementation of a service improvement plan the service quality and service level must be documented as a baseline. On the basis of this data a comparison with the actual improvements achieved should be carried out.
Planing of New Services
ISO/IEC 20000 has a separate process for the planning and implementation of new or modified services. The aim of this is to ensure that the new and modified services are delivered at the agreed costs and in the desired service quality.
Special account should be taken of the following aspects. All new or modified services are implemented in accordance with the PDCA cycle:
The offer of new or modified services must take into account the impact on costs and profitability and the organizational and technical influences on the service management and service delivery.
The implementation of new or modified services – including the termination of a service – must be planned and formally approved by the Change Management.
The planning and implementation must take appropriate account of financing and resources so the necessary changes for service delivery and service management can be carried out.
Service Delivery Processes
The service delivery core area encompasses the planning and tactical level of IT service management. In this area the actual service levels are defined and agreed and reports submitted on the actual services rendered.
The following processes form part of service delivery:
- Service Level Management
- Service Reporting
- Capacity Management
- Service Continuity & Availability Management
- Information Security Management
- Budgeting & Accounting for IT Services
Service Level Management
The service level management process must ensure that the full scope of the services is agreed and documented.
We recommend a structured procedure in accordance with the documented guideline below for meeting the specifications required of the service level management.
The service level management process should not be performed on a formalistic and rigid basis but instead be flexibly and proactively geared towards changes. It is necessary to ensure that a distinctive customer focus is applied on all levels and in all phases of the service delivery. Customer satisfaction is seen as a subjective assessment and the achievement of the agreed service targets an objective assessment. Corresponding attention must therefore be paid to the way in which the service is perceived by customers and users.
This process regulates the fundamental tasks of the service provider and therefore forms the basis or even in fact the authority for delivering the customer services. The service provider should therefore possess sufficient information in order to have a genuine understanding of the business drivers and the customer’s requirements.
The SLM process must be linked appropriately with the business relationship and supplier management processes.
A clear definition must be provided for all reports as to the intention and purpose of the report, its target groups and, in particular, the data sources. Reporting needs identified from customer requirements must be met.
The success of all service management processes depends upon the utilization of the information from the service reports. The management decisions, together with corrective action, must be based on the results of the service reports and communicated to all relevant parties.
Less is often more. This applies very specifically in the case of service reports. We recommend that reports should only be produced on the basis of agreed and documented customer requirements and those of the internal IT management. In this context, the relationships with both internal as well as external suppliers should also be illustrated to enable the entire service chain to be reviewed.
Service Continuity and Availability
The two processes, availability and service continuity management, must ensure that the agreed objectives of availability and continuity for the customer can be met in every case.
It is vital that all activities and expenditure, as well as the resources assigned for the implementation of the continuity and availability targets, should be coordinated with the requirements of the business.
The availability must be recorded for monitoring the services and historic data sets kept for trend developments in order to identify and document deviations from the defined targets. We also recommend that the effectiveness of improvement measures which have been introduced should then be reviewed.
The availabilities and planned maintenance windows must be forecast in advance and communicated to all those involved. This will enable preventative maintenance to be carried out on a targeted basis.
The service provider must give an undertaking to draw up a strategy for adhering to the service continuity targets. One of the integral parts of this strategy is a risk assessment based on the extent of loss and probability of occurrence which takes into account both service as well as particularly critical operating times.
We recommend that the service provider clearly defines at least the following points with each customer group:
- maximum accepted period without service
- maximum accepted period with reduced service
- accepted reduced service level during a defined recovery period
The service continuity strategy must be reviewed jointly with the business representatives on a continual basis, at least however annually. All changes to the strategy must be formally agreed and implemented within the framework of the change management.
The capacity management ensures that the service provider has sufficient capacities permanently available in order to meet the current and future agreed business resource needs. In this sense efficiency means that provision is made for a high level of resource capacity utilization.
The aim of capacity management is to proactively avoid resource bottlenecks. The following best practice recommendations have become established practiced for meeting the requirements of capacity management:
The service provider must understand the current and future requirements from the business perspective and consequently be able to ascertain the future IT requirement on the basis of the strategic business development.
Derived from the business strategy the demand forecasts and estimates of capacity utilization must be converted into specific requirements for the IT infrastructure and documented. To this end the load response of the corresponding service components for different levels of transaction volumes must be understood from the technical viewpoint.
The data on current and past component and resource capacity utilization levels should be recorded in transparent form and analyzed for the purpose of forecasting capacities.
New or modified services must be assessed in terms of the future capacity demand in the various life phases and corresponding preparations made.
The capacity plan which documents the current performance of the infrastructure and the anticipated requirements must be drawn up to meet the relevant situation, at least however on an annual basis. It should be noted that test and integration environments in particular show a relatively high capacity reserve which is actually rarely utilized.
The purpose of all measures in capacity management is to achieve the agreed service level targets.
Information Security Management
The objective of the information security management is to provide effective control and monitoring of the information security for all service activities. The standard refers to the Code of Practice ISO/IEC 27001 which forms a good basis for implementation of the information security.
Information security is a system of guidelines and procedures for identifying, controlling and protecting information and all operating materials associated with its/their storage, transfer and processing. Best practice recommendations for meeting the requirements demanded of information security management have become established in the following structure:
IT security basic principles
- Identification and classification of information assets
- Security risk assessment
- Controls (monitoring, guidance measures)
- Documents and records as proof
Budgeting and Accounting Management
The aim of budgeting and accounting for IT services is to budget for and provide documentary evidence of the costs for service provision. Experts in the ITIL framework might think that charging has been missed out here. In fact, service charging is not a direct requirement of the ISO/IEC 20000 standard. However, it does make reference to the importance of charging and recommends that it be implemented in accordance with the general basic principles. However, since a large number of organizations do not wish charging to be included for business policy reasons this was left out of the specification.
Budgeting and accounting does not have to be re-defined. Any implementation in this area must be agreed and coordinated with the company’s central accounting department. We recommend that guidelines be drawn up on the handling of the budgeting and accounting processes. This guideline or policy must define the required level of detail as shown below:
- What types of costs have to be proven?
- What is the structure of the allocation code for the overheads?
- What categorization detail of the customer business should be chosen in order to apportion the charging (business unit, department, location)?
- What is the procedure for dealing with deviations from the budget? Are there any dependencies with regard to the size of the deviation? What is the procedure for escalation to the senior management?
- How is this linked with the service level management?
The costs expended for the budgeting and accounting processes must be determined according to customer, service provider and supplier demand. The benefits of recording operational data must justify the expense.
The relationship processes describe the two aspects of business relationship management and supplier management. In this context the standard focuses on the role of the service provider (frequently a company’s IT organization) which is logically positioned between customer and supplier.
Both customers as well as suppliers can be part of the service provider’s organization or external. A fundamental distinction is drawn between the following three levels for the contracts:
The agreements between the customer and service provider are known as service level agreements (SLA).
External support (suppliers) required for the agreed IT services are formalized with underpinning contracts.
Operational level agreements govern the relationships within the IT organization for the service delivery.
In order to create good relationships between the participating parties clear agreements must be in place. In this context, all parties should have the same understanding of the business requirements, service capacity as well as the framework conditions and the respective responsibilities and obligations. This is the only way in which each party can meet its performance obligation.
Business Relationship Management
The aim of business relationship management is to understand the customer and the business process drivers and based on this to establish and maintain a good relationship between the service provider and the customer.
Three key aspects must be anchored within the organization in order to meet the requirements demanded of business relationship management:
- Regular service reviews
- Service complaints procedure
- Measurement of customer satisfaction
The aim of supplier management is to control suppliers in order to ensure a smooth delivery of high quality services.
As a general rule there are a number of suppliers involved. These are often also subdivided into main suppliers and subcontract suppliers. It is therefore necessary to clearly define whether the service provider is to negotiate directly with all suppliers or whether a main supplier is to take over the responsibility for the subcontract suppliers.
The supplier management process must ensure that the supplier understands its obligations to the service provider. The requirements must therefore be clearly defined and agreed. It is also necessary to ensure that all changes to these agreements are monitored by the change management process.
In order to avoid conflicts we recommend that records be created of all official business transactions between all the parties. The services of the supplier must be continually monitored and an appropriate response taken as required.
The resolution processes include the incident and problem management processes. These are standalone processes even if they are closely interlinked. Incident management deals with the restoration of the service for the service user. Problem management by contrast deals with the identification and elimination of root causes in the case of major or repeat disruptions and therefore ensures a permanent and stable service infrastructure.
Setting priorities in dealing with disruptions and problems is based on the two criteria of Impact (negative affect on the service) and urgency (urgency as a result of the current situation). The impact should be based on the extent of the interruption to business whilst the urgency is based on the timescale between the incident or problem occurring and the negative impact on the customer’s business.
Problem management is intended to provide workarounds in order to lend support to the restoration of the service by the incident management or the user. A known error in a service can only be rectified if a correcting change has been successfully implemented or if the known error no longer occurs. Information on workarounds as well as their applicability and effectiveness must be stored and updated in a known error database.
The aim of incident management is to restore the agreed service for the business and respond to service enquiries as quickly as possible.
In order to fulfill the specification requirements it is necessary to ensure that the incident management is designed as a reactive and proactive process that responds to error messages. The process must focus on the restoration of the IT service concerned and consciously not deal with the identification of the root cause.
The incident process (incidents and service requests) comprises receiving calls, recording, prioritization, taking account of security provisions as well as following up on the incident processing status. It should also govern the agreement on fault processing with the customer as well as any escalation procedures. All incidents must be recorded in such a way as to enable the relevant information to rectify the error to be ascertained and analyzed.
The progress of work should be reported to the current and any potential personnel affected. All activities must be fully recorded in the incident ticket.
Wherever possible, customers must be able to continue their business in the appropriate way. Workarounds can also be utilized for this purpose.
The aim of problem management is to minimize the disruption to and impact on the business by proactively identifying and analyzing the root causes of service incidents and by managing problems until these are rectified.
Problem management must identify the root causes of the incidents on a reactive basis and proactively prevent incidents reoccurring. Problems are to be classified as known errors as soon as the root cause of the incident is known and a solution method for avoiding such incidents has been found.
For incident management to receive an optimum supply of information, all known errors and IT services affected must be documented and the associated configuration items identified. Known errors should only be closed once a definitive, successful solution has been found.
Once the root cause has been identified and a decision reached on the solution, this solution must be dealt with by the change management process. Information on the progress, potential workarounds or permanent solutions must be sent to all parties involved.
The closure of problem tickets should always be carried out in accordance with the following reviews:
- Has the solution been precisely documented?
- Has the root cause been categorized in order to provide support for future further analyses?
- Have the customers and support employees affected been informed of the solution?
- Has the customer confirmed that he/she accepts the solution?
- Has the customer been informed if no solution has been found?
The effectiveness of completed solutions to problems must be reviewed. In particular, trends such as for example reoccurring problems and incidents, defects, errors, known errors in planned releases or resource commitments must be identified by employees.
The control processes create the key conditions required for a stable and secure IT operation by maintaining a proper IT inventory and ensuring notified changes in the IT landscape in the form of individual changes or as bundled packages (releases). Change and configuration management form two core processes in the whole process model. These two processes enable a service provider to control the service and infrastructure components and to manage secure information. Precise information is the basic prerequisite for decision-making in the change management process as well as for all other service organization processes.
The aim of configuration management is to define and control the components of the service and infrastructure and to manage precise configuration information.
All key assets and configurations should be assigned to the responsibility of a manager who ensures appropriate security and control. This is intended to guarantee, amongst other things, that approval is obtained before changes to the CI are implemented. The following recommendations for meeting the specifications for the configuration management process have become established practice:
- Planning and implementation
- Configuration identification
- Configuration control
- Proof of status
- Verification and audit
The aim of change management is to ensure that all changes are evaluated, approved, introduced and reviewed using stipulated methods. In this context the focus is on the efficient and prompt implementation with minimal risk to the operational business.
The change management processes and procedures are intended to ensure that changes have a clearly defined and documented scope. Only changes which have an identified business benefit will be authorized. Changes should be planned on the basis of priority and potential risk. Changes to configurations must be verified during the implementation of the change.
The status of the changes and planned dates for implementation form the basis for change and release planning. Information on dates should be communicated to the persons affected by the change.
Whereas change management concentrates on controlling changes, release management prepares the planned changes for distribution. Release management should be integrated into the configuration and change management processes in order to ensure that the releases and implemented changes are coordinated. Release management coordinates the activities of the service provider, suppliers and business cycles. The outcome of this is a plan for the supply of a release to the operational IT environment.
The aim of the release management is to deliver, distribute and monitor one or more changes in a release to the operational environment.
One of the key tasks of release management process is to coordinate all the participating resources in order to hand over a release to a shared environment. In this context good planning and management is a basic prerequisite for packaging releases, their successful distribution as well as for having the associated impact and risks for the business and the IT under control.
We recommend that all aspects of the release be planned in advance with the business. To this end the impact on the associated CIs must be evaluated and both the technical as well as the non-technical aspects be jointly taken into account.
For the purpose of transparency all release elements must be traceable and safeguarded to prevent their being changed. Only tested and approved releases should be accepted within the operational environment.