ISO20000: What it is and how it relates to ITIL v3

ISO20000: What it is and how it relates to ITIL v3 John DiMaria; Certified Six Sigma BB, HISP BSI Product Manager; ICT (ISMS,ITSM,BCM)

Objectives and Agenda To raise awareness, to inform and to enthuse ISO20000 what is it? ISO20000 how does it relate to ITIL3? ISO20000 why do you need it? ISO20000 how to achieve certification Summary -2-

ISO20000 What is it?

ISO/IEC 20000 Part 1 Specification for Service Management ISO/IEC 20000-1: 2005 Part 2 Code of practice for Service Management ISO/IEC 20000-2:2005 To promote the adoption of an integrated process approach to deliver managed services to meet the business and customer requirements ISO/IEC 20000-1:2005-4-

Part 1 and Part 2 Audit is against part 1. Assess and Aim initially for minimum requirements part 1; Use Part 2 for guidance and continuous improvement Part 1 Specification Management with appropriate authority shall approve an information security policy that shall be communicated to all relevant personnel and customers where appropriate. Part 2 Code of Practice The service providers staff with information security roles should be conversant with BS7799 (ISO17799/ ISO27001). -5-

History UK Government launches IT Infrastructure Library (ITIL) in 1989 ITIL defines best practice processes and procedures ITSMF formed in 1991 to further develop best practice BSI Service Management committee develops a code of practice book and then a standard aligned to ITIL BS 15000 first published in 2000 as a specification Early adopters programme led to revised edition in 2002 Certification scheme available from November 2003 Adopted as ISO 20000 in December 2005-6-

Product Fit ISO 20000 ISO 27001 ISO 9001:2000-7-

Process mapped to organizational unit Organization IT Manager Operations and Office Automation Software Service Network Management and Telematics Department Desk Print and Mail Project Organization Software Maintenance and Application Management Process -8-

The world s first IT service management process standard that provides the industry with a standard that can be used for auditing and assessing internal service providers and external suppliers across the supply chain To help organizations provide a quality service and be cost effective via professional service management Supplier A Supplier B (Lead Supplier) Service Provider Scope of ISO 20000 Customer Supplier 12 Supplier 23-9-

ISO20000 Process Framework -10-

Plan, Do, Check, Act Management System Manage Services Business requirements Customer requirements Management Responsibility PLAN Plan service management Business Results Customer Satisfaction Request for new or changed services Other process, business, supplier, customer Other Teams, e.g. Security ACT Continuous Improvement CHECK Monitor, Measure and Review DO Implement Service Management New or changed service Other process, business, supplier, customer Team & People Satisfaction Source: ISO 20000-11-

ISO20000 How does it relate to ITIL

IT Service Management Framework -13-

ITIL v3 Lifecycle Framework Governance Methods Standards Alignment Continual Service Improvement Knowledge & Skills Case Studies Service Design Service Strategies Specialty Topics Templates ITIL Service Operation Scalability Continual Service Improvement Service Transition Continual Service Improvement Executive Introduction Quick Wins Study Aids (c) Crown Copyright 2007 Reproduced under Licence from OGC Qualifications -14- ITIL is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office

Common processes across ISO20000 and ITIL v3 Incident Management Problem Management Service Level Management Service Reporting Supplier Management Capacity Management Information Security Management Change Management -15-

Similar processes across ISO20000 and ITIL v3 Release Management Release and Deployment Management in ITIL v3 It additionally covers deployment approaches and knowledge transfer in more detail, and early life support Configuration Management Service Asset and Configuration Management in ITIL v3 Manages service assets from acquisition to disposal Provides a configuration model of services, assets and infrastructure, and their relationships Service Continuity and Availability Management Two separate processes in ITIL v3 Budgeting and Accounting for IT Services Financial Management in ITIL v3-16-

Processes within ISO20000 but not ITIL v3 Business Relationship Management This is mentioned briefly in the ITIL v3 Service Strategy book but is not expanded to be a process Some elements such as Customer Satisfaction Survey and addressing complaints are covered in the ITIL3 SLM process -17-

Functions ISO20000 None ISO20000 is process based and does not cover functions ITIL v3 Service Desk IT Operations Management Application Management Technical Management -18-

Roles ISO20000 ITIL v3 Top/Executive Management Senior Responsible Owner not defined Process Owners not defined Contract Managers Individual(s) responsible for customer satisfaction and the whole business relationship process not defined not defined not defined not defined not defined Service Owners Process Owners/Managers Functional Group Managers Contract Managers Business Relationship Manager Product Manager Service Design Manager Chief Sourcing officer -19-

Key Corresponding Documents ISO20000 Service Improvement Policy Configuration Management Policy Release Policy Financial Policy Information Security Policy Service Level Agreements, Supporting Service Agreements and Contracts Emergency Change Policy Service Improvement Policy Plan for improving the service Availability, Service Continuity, Capacity, Roll Out and Release Plans Documented Processes and Procedures ITIL v3 Continual Service Improvement Policy Service Asset and Configuration Management Policies Release Policy Financial Plans and Budgets Information Security Policy Service Level Agreements, Operating Level Agreements and Contracts Change Management Plans Service Improvement Plans Availability, IT Service Continuity, IT Recovery, Capacity and Release Plans Appropriate Process Documentation -20-

Other Key Documents ISO20000 Service Management Policy Service Management Plan Definitions of Service Management Roles, Responsibilities and their competencies Framework of Management Roles and Responsibilities Plans for New and Changed Services Document Management Procedures Risk Management Approach Methods for Monitoring and Measuring Processes Audit Procedure and Audit Plan Complaints process Security Controls List of Stakeholders and Customers Service Report Descriptions -21- ITIL v3 Stakeholder Management Strategy Service Portfolio Service Design Package Service Level Package Test Strategy Service Catalogue Reporting Policy Knowledge Management Strategy Projected Service Outage Change Schedule

Mapping Summary ISO20000 ITIL v3 Standard and Code of Practice Best Practice Certification for a service provider Definitive high-level requirements for processes and management system Organisational structure independent 13 processes; no functions, lifecycle not explicitly specified Definitive set of required documents Qualifications for individuals Detailed Best Practice guidance, description and implementation aids Defines many function and process roles and responsibilities 26 processes and four functions documented in five lifecycle stages Descriptions of key documentation -22-

ISO20000 Why do you need it?

Why do we need Service Management? The Business is more and more dependent on IT Complexity of Technology constantly Increases Customers are demanding more for less Global competitiveness growing at rapid rate requiring a more flexible approach to integration Stronger focus on controlling costs of IT Low customer satisfaction levels (Not surveys) Information Governance Regulations Customers have become services focused with a strong orientation related to service levels and costs. -24-

Drivers Move from investing in tools to develop software to managing the quality of these systems and linked processes once they are live The need to deliver cost effective service delivery Lack of guidance and accepted standards Raising the profile of the IT department Government / ITIL / ISO20000 I n v e s t m e n t Internal Services Quality Employee retention Value Employee for satisfaction customers Employee productivity Customer satisfaction Customer loyalty Revenue growth Profitability -25-

Drivers to achieving certification to ISO20000 External service providers ISO20000 is becoming a basic bid requirement especially for IT Service Providers, in the same way as ISO9000 ten years ago Gives confidence to customers in selecting an external service provider who is ISO20000 certified Provides a competitive edge Internal service providers Significant milestone for an IT department demonstrating professionalism that has been independently certified Generic drivers for all Hard evidence that Quality of ITSM is taken seriously Supports the business to operate more effectively Enforces a method of review and assessment linked to continuous improvement Staff morale boosted by working in a controlled environment Enforces process compliance by turning the shoulds into shalls so that all the benefits of best practice ITSM will be gained -26-

Certification to ISO 20000 ISO 20000 is increasingly seen as the quality standard for IT Service Management Many companies striving to adopt for its benefits to them and to also help qualify and choose suppliers and partner organizations Only a formal certification scheme provides independent verification of compliance Raises internal profile -27-

Gartner view of ISO20000-2006 By 2008 ITIL Compliance will be a buying criteria in 75% of relevant IT sourcing decisions (0.8 probability) By year end 2008 at least 60% public sector and at least 30% private sector relevant IT sourcing deals in mature ICT economies will demand ISO/IEC 20000 certification in their RFPs (0.6 probability) -28-

Samsung Case Study Benefits Verification of IT services delivery meeting the needs of our topnotch customers 37.5% reduction in operational problems through proactive problem management Paradigm shift on IT service management from the technology-centered to the customeroriented Demonstrating strengths as a strategic partner in IT outsourcing market both internally and externally -29-

ISO20000 How to achieve certification

Implementing Service Management Some of the biggest challenges IT teams face when implementing Service Management include: 1) getting the attention and commitment of senior management and 2) ensuring acceptance and adoption of managed change throughout the organization. -31-

Implementing Service Management Service Improvement Program Preparation Assessment Implementation What is the vision? What are our objectives? Where are we now? Where do we want to be? Are we there? How do we get there? -32-

Implementing Service Management Preparation Assessment Implementation -33-

Preparing for ISO20000-34-

Planning and Business case Use gap analysis to plan way forward including quick wins Costs: Auditors Internal staff involvement External consultancy Training Tools Benefits: Quantifiable service improvements, staff savings, cost savings and control, holding onto contracts, winning contracts if requirement of bids, taking on more services with same staff numbers etc Non-quantifiable quality improvements, competitive edge, staff morale, customer satisfaction etc -35-

Establish Management System and Processes Use a process approach to implementation Examine each key component in the process Examine issues Compare current status VS requirements Take action on the differences and improve Organizational skills assessment and training plan Use a specified case study as guidance Process ownership R esponsibility A uthority S kills A ccountability R ecognition The RASAR s edge -36-

Certification Assessment Stages Pre- audit assessment (optional) Documentation Assessment Compliance Assessment Pre-certification Certification Body Issues Certificate Continuing Assessment Triennial Re-assessment Post-certification -37-

Common Pit Falls to implementation 1. Existing processes & procedures did not always align 2. Some processes did NOT exist, others not being used 3. Some staff did not really understand the difference between process & procedure 4. Implementation resource staff still had to do their day job 5. Staff reluctant to admit if they don t know or understand requirements 6. Scope creep 7. Not EVERYTHING recorded or measured, especially performance of identified improvements 8. Concentration on tools rather than process implementation -38-

How long will it take? For a company who has not yet implemented ITIL Approx. 18 months For a company who has implemented ITIL well Approx. 9 months Remember that once the processes are designed and documented, they need to be rolled out and run for about 3 months before being audited to prove compliance -39-

Summary

Qualifications ISO20000 consultant (ITSMF) 3 day course examining part 1, part 2 and the certification process Pre-requisite is ITIL Foundation + 5 years relevant IT experience ISO20000 auditor (ITSMF) 2 day course examining part 1 in detail with an overview of part 2 and the certification process Pre-requisite is ISO9000/ISO27001/TickIT certified auditor or certified internal auditor Service Quality Management Foundation (EXIN) 3 day course examining part 1, part 2 and the quality management systems in ISO9000 Pre-requisite is IT Service Management experience, preferably the ITIL Foundation Many training providers offer non-accredited courses including awareness, planning to implement ISO20000-41-

ISO 20000 Publicly AvaliableTraining Understanding ISO 20000:2005 1 Day ISO 20000:2005 - Internal Auditor course 3 Days Implementing ISO 20000:2005 2 Days Lead Auditor ISO 20000:2005 5 Days Expected Launch October 2007-42-

ISO20000 Certified Organizations 161 Certified Organizations at April 2007 External:Internal service provider ratio is approx. 2:1-43-

ISO 20000 The Future Businesses are beginning to demonstrate increasing demand for ISO 20000-1:2005 certification Certification will become a key market differentiator and pivotal in the selection of supplier and partner organizations. Because of it s strong structure and ability to show ROI, ISO 20000 will be THE frame work of choice for IT Service Management. The standard itself will evolve to aid clarity, respond to feedback and align with ITIL3-44-

References ISO/IEC 20000 www.iso.org www.bsi-global.com www.ansi.org ISO20000 pocket guide www.itsmf.com BSI: Achieving ISO20000 series BSI: A managers guide to service management BSI: Self assessment workbook www.bsi-global.com ITSMF Certification scheme www.isoiec20000certification.com -45-

Thank You John.dimaria@bsi-global.com 314-831-7835 inquiry.msamericas@bsiglobal.com www.bsiamericas.com 703-437-9000-46-