The future of the ISO IEC 20000 series Dr

The future of the ISO/IEC 20000 series Dr. Jenny Dugmore Service Matters 18 th March 2008

Certification audits and accreditation (Management system standards) International Accreditation Forum Membership of IAF dependent on uniformity of approach National accreditation bodies Assessment for accreditation of a certification body Guide 62 17021 / 19011 Certification bodies (audit companies) Certification audit against the standard 20000 -1 Service providers

Where did ISO/IEC 20000 come from? 1989: BSI committee established 1995: Code of practice published 1998: Bigger and better code of practice published 2000: Part 1 Requirements published (BS 15000) Part 2 Code of practice re-published 2001: Industry consultation on edition 1 2002: Edition 2 – management system standard (BS 15000) 2004: October – Fast track submission to ISO 2005: May - vote in favour / comment resolution December – published a ISO/IEC 20000 -1 and -2 2006: May - Work Group 25 starts on new Part 3 2006: November - Work on 2 nd edition of Part 1 starts 2007: November – 4 more projects started………

What is ISO/IEC 20000 today? ISO best seller (‘thousands sold’) – Used for 3 rd Party certification audits 4 certification schemes accredited – it. SMF registration scheme is market leader Adopted internationally – Many organisations certified (‘hundreds’) Supported by training and qualifications – Including EXIN, ISEB, it. SMF, IRCA/JIPDEC

Often referred to as ‘The ITIL standard’ Quality standard to be aimed for Part 1 Explains the requirements Part 2 Best practice advice Certification scheme ITIL best practices Local documents In-house procedures / work instructions BSI Self-assessment workbook

How do the clauses fit together? Manage Services Management Responsibility Business requirements PLAN Plan service management Customer requirements Request for new or changed services Business Results Customer Satisfaction New and changed services DO Implement Service Management ACT Continual Improvement New or changed service Other process, business, supplier, customer CHECK Monitor, Measure Other Teams, eg Security and Review Team & People Satisfaction

The ‘shall’ requirements (must do) Leadership – Management commitment Policy – give management direction – Accountability – Top-down approach – Policy driven Processes, support policies – what to do Integrated processes Intelligent use of metrics ‘Doing not documenting’ Procedures, support processes – how to do it

How is ISO/IEC 20000 used today? Standalone or combined audits Common QMS (ISO 9001 & ISO/IEC 27001) 20000 -2 Advice on Part 2 20000 -1 27001 9001 Guide 62 & ISO/IEC 17021 ISO 19011

Harmonisation and alignment Terms COBIT Management system standards IT security ISO/IEC 27000 series Quality management ISO 9000 series 9001 for S/W ISO/IEC 90003 Governance standards (ISO/IEC 28015) Service Management ISO/IEC 20000 series S/W Asset Management (SAM) ISO/IEC 19770 17021 19011 ITIL Process assessment model (SPICE) Systems engineering S/W Reference Model ISO/IEC 15504 ISO/IEC 15288 ISO/IEC 12207 Software & systems engineering (process reference & process assessment)

ISO/IEC 20000 -3: advice on scoping, applicability, conformity assessment 8 words in Part 1 ‘the scope of the service provider’s service management’ Example / scenarios based advice Out for vote – results due May 2008 Single step approach 20000 -1 requirements 20000 -1 20000 -2 guidance on requirements 20000 -3 scoping & applicability

Changes being debated for Part 1 and Part 2 Closer alignment with ISO 9001 (Generic quality) & ISO/IEC 27001 (Information security) Re-structuring: – Clause 3 & 4 may be merged (management resp. & PDCA) – ‘Dummy’ clauses 7. 1 and 8. 1 removed – Part 2 re-aligned to Part 1 Part 2 – Better mapping to Part 1 – Overall more detail Some changes to reflect ITIL 3: – But ITIL 3 is closer to ISO/IEC 20000 -1 than ITIL 2 – Both ITIL 2 and ITIL 3 are suitable routes

Implication of ITIL 3 changes The link between 20 K and ITIL is of spirit and intent There cannot be a formal link between the two – ITIL is a ‘national (UK) initiative’ (from ISO perspective) – ITIL cannot be referenced in the 20000 series Why is there flexibility? – ISO/IEC 20000 -1 focus is on ‘what to achieve’ – ITIL focus is advice on ‘how to’ ISO/IEC 20000 -1 – Very few changes to requirements planned or required for ITIL 3 – Agreement to ITIL 3 terms being incorporated (without reference to UK crown copyright) ISO/IEC 20000 -2 – More substantial ‘ITIL 3 type’ advice to be provided OGC / BSI white paper due soon

A few random examples…. . Configuration Management Database (CMDB) – database containing all the relevant details of each configuration item and details of the important relationships between them ITIL V 3 uses Configuration Management System (CMS) as a set of databases, tools used to manage configuration data and data such as incident, problem … employee data … locations … users. CMS is not a new name for a CMDB. CMS may contain several CMDBs as well as tools and a wide range of data types collected for many different purposes. The difference is not a barrier to achieving Part 1 the requirements

A few random examples…. . Many international standards refer to a broad-based category of ’defects’ or similar terms. ISO/IEC 20000: – Incidents – Problems ITIL V 3 draws a more detailed distinction: – – Events Incidents Problems. Requests. This is one of the differences between the two. Confusion can be avoided when ‘going the ITIL 3 route’ by mapping what has been done to clauses/processes in the standard – and the next edition may refer to ‘request fulfilment’

A few random examples…. . 9. 1 Configuration management NOTE: Financial asset accounting falls outside the scope of this section. ITL V 3 refers to ‘Service Asset and Configuration Management’ (also referred to as ‘Service Asset Management including Configuration Management’). The term asset is used in a very broad sense as either capabilities, resources or both, depending on the context. ITIL V 3 is different to both ITIL V 2 and ISO/IEC 20000 (neither use the term ‘Service Asset’). This is likely to be seen as one of the big differences, but does not present an actual barrier to achieving the requirements of clause 6. 4 or clause 9. 1. The use of the term ‘service asset’ and how the role of ‘service assets’ in service management is compatible with a focus on service as well as process that is the characteristic of the standard.

One (big) step v Incremental approach 20000 -2 guidance on requirements 20000 -3 scoping & applicability Incremental approach Single step approach 20000 -1 requirements 20000 -1 Stage 3 advice Stage 2 advice Stage 1 advice

Incremental stages – goal is Part 1 requirements ISO/IEC 20000 -1 Stage 3 Stage 2 Stage 1 Chaos Continual Improvement Service Management System

Process Reference Model and Process Assessment Model PAM 15504 -8 (SPICE) 20000 -2 guidance on requirements 20000 -3 scoping & applicability Incremental approach Single step approach 20000 -1 requirements Stage 3 advice Stage 2 advice Stage 1 advice Conformity assessment PRM 20000 -4

Process Reference Model (PRM) & Process Assessment Model (PAM) PRM defines processes as: – Purpose (very similar to ‘Objective’ in 20000) – Outcome: ‘the successful achievement of the process purpose’ – Defines basic maturity level PAM defines process capability: – – Assessment over a series of levels SPICE assessment: similar to CMMi More detailed than 20000 -1 (typically 100+pages) More prescriptive than 20000 -1 Scope as for 20000 -1: 2005

Other initiatives Mapping: Standards COBIT, ITIL 20000 -2 guidance on requirements 20000 -3 scoping & applicability Incremental approach Single step approach 20000 -1 requirements Stage 3 advice Stage 2 advice Stage 1 advice PAM 15504 -8 (SPICE) Conformity assessment PRM 20000 -4

Other initiatives Advice for ‘Very Small Enterprises’ on achieving the requirements of ISO/IEC 20000 -1 Mapping: Standards COBIT, ITIL 20000 -2 guidance on requirements 20000 -3 scoping & applicability Incremental approach Single step approach 20000 -1 requirements Stage 3 advice Stage 2 advice Stage 1 advice PAM 15504 -8 (SPICE) Conformity assessment PRM 20000 -4

Summary – 1 to 2 year plan 2 nd editions Part 1: Requirements revision (9001 & ITIL alignment) Part 2: 6 m after Part 1 (longer & ITIL alignment) New: Part 3: Scoping/applicability advice (ballot underway) Part n: Incremental conformity Part 4: Process Reference Model (Purpose/Outcome) 15504 -8: Process Assessment Model – CMMi / SPICE type mulit-level assessment Mapping across standard/methods/frameworks – Continuing programme

Any questions? Web sites www. iso. org www. jtc 1 -sc 7. org www. bsigroup. com jenny. dugmore@service-matters. com

Why bother with the standard? ‘One standard fits all’ Independent of products or organisational structure Common basis for staff training Common inter-enterprise operational practices – manage across a diverse environment – improved automation Supply chain is understood and managed – Inter-changeability of service providers Real proof of best practices Minimising business risk – greater flexibility Delivers business benefits

Why ISO/IEC 20000? … a quick stroll round the International standards committee structure • • The standard is under the control of representatives of national standards bodies (in the UK, this is BSI) ISO/IEC is named this way because it is under the control of a joint international committee: – ISO (International Organization for Standardization) – IEC (International Electrotechnical Commission) • • JTC 1 = Joint Technical Committee 1 SC 7 = Sub-Committee 7 Others include SC 27 (IT Security) WG = Working Group – SC 7 includes many WG’s, including WG 25 • ISO standards are a separate stream ISO IEC ISO/IEC JTC 1 Sub-committees Working Groups

Why ISO/IEC 20000? … a quick stroll round the International standards committee structure ISO IEC ISO/IEC JTC 1 SC 2 SC 3 WG 1 A WG 7 WG nn WG Governance (may move) SC n WG 10 SC 7 SC 8 WG n SC n WG 21 SC n WG SC 27 WG 25 SC n WG Service Management: 80 members, 20 National Standards Bodies. Liaison has been established or requested with it. SMF I, IAF, ISACA/ITGI (for COBIT) and other International standards groups, TC 176 (ISO 9001), JTC 1/SC 27 (ISO/IEC 27001, IT Security).

Where we are with service management standards ISO/IEC 12207 ISO/IEC 15288 SC 7 WG 25 WG 10 SPICE 15504 -8 Capability/maturity: Previously only s/w & sys engineering (aligned with CMMi) ISO Active group Part 4 Mapping Part ‘n’ Part 3 Part 2 Part 1 ISO Active group WG 25 CAB & Active group ISO Active group Editor: Jyrki Lahnalati Co-editor: Antonio (Tony) Editor: Coletta Beatrix Barafort Co-editor: Melanie Cheung ‘Editor’: Jenny Dugmore ‘Co-editors’: Marc Taillefer WG 25 editors Panel on capability/maturity Mapping and CAB Panel Editor: Olivier Martin Co-editors: Luis Rosa Alain Renault Editor: Anita Myrberg Co-editor: Darcie Destito Editor: Lynda Cooper Co-editor: Tess Du Plessis Editor: Kenichiroh Yoshida Co-editor: Not yet appointed Panel 1: Management system ‘ 20 K as we know it – but better’