February 5, 2012

Posts Comments

You are here: Home / Archives for Information / IT Service Management

INTEGRATED ASSESSMENT — A Potential Option

May 16, 2011 By Leave a Comment

By: Sally Smoczynski

Has your organization ever implemented or potentially needed to implement, audit or certify to more than one quality initiative?  If so, would you be concerned about duplication of effort and additional costs?

As a Managing Partner in a consultancy firm that specializes in the implementation of ISO Standards, very often our clients have already passed a Capability Maturity Model Integration (CMMI) level 3 Assessment or gone through a Standard CMMI Method for Process Improvement (“SCAMPI”) process.  In these situations, the integration of ISO 20000 Service Management and CMMI , while not seamless, is a natural process over time, particularly at a CMMI level 3 for Services and above.

Certainly, this example would be an opportunity to have an integrated assessment approach available to better integrate the whole quality control system of an organization, and, at the same time, better collectively analyze the strengths and weaknesses of that system.

I would like to focus your attention to a recent whitepaper report, written by Subrata Guha, Director of IT Services for UL DQS, Inc.  In this report Subrata writes about an integrated assessment he and his firm conducted combining ISO 9001 and CMMI for Development.  The roadmap of this integrated assessment (audit) process included both the ISO 9001 Stage 1 and Stage 2 audits as well as the full SCAMPI 8 for CMMI Development.  The result was an effective assessment that reduced staff time requirements and audit / assessment days – and therefore, costs.

This report provides an exciting opportunity for organizations to share a more robust integrated foundation between ISO and CMMI.

This whitepaper also suggests that this integrated assessment methodology can be created for ISO 20000 Service Management System and CMMI.

I welcome our readers to read this whitepaper  and please share your thoughts and comments on this integrated assessment potential option.  And, if applicable, pass this information along to those IT Service Management and Quality Management team members in your organization.

Photo courtesy of itil.org

 

Filed Under: Business Continuity Info, IT Service Management, Standards & Best Practices Tagged With: , , , , , ,

ISO 20000-1: 2011 vs. 2005 Revisions — Continued Update

April 27, 2011 By Leave a Comment

In an earlier posting on this website concerning the International Organization of Standards (ISO) release of the new Service Management System standard — ISO/IEC 20000-1:2011(E) — Sally Smoczynski, one of this website’s contributing writers,  gave us a condensed version of some of the highlights expressed in this new standard as compared to the previous standard — ISO/IEC 20000-1: 2005.  And, as stated in that write-up — more information was yet to come.  That information is now available.

Our staff is pleased to announce that  Ms. Smoczynski has teamed up with Tim Woodcome, Conformity Assessment Director with the National Quality Assurance Registrar Group,  NQA, and they have published a more complete article on this topic, entitled “ISO UPDATE:  ISO 20000-1 HAS BEEN REVISED“.

The original document was posted on the NQA website just a few days ago, but, fortunately, with their permission, this website has been allowed to present this information to our readership via reference to that document …..(please see below)….

“ISO UPDATE:  ISO 20000-1 HAS BEEN REVISED

On Friday, April 15, 2011, The international organization of standards (ISO) released the updated standard for Service Management with ISO/IEC 20000-1:2011(E).  There are significant changes to the structure and wording of the requirements that takes away a lot of the interpretation which caused some confusion of the previous version ISO/IEC 20000-1:2005.   This article attempts to provide you with the highlights of the changes.    We encourage you to purchase the standard to fully understand the scope of the changes.

HIGHLIGHTS:

The most obvious change to the standard is the removal of the reference to this standard being an “IT Service Management System”.  It is now referred to as a “Service Management System”.  Some other highlights include:

  • Terms and definitions have 37 definitions over the 15 in the 2005 version
  • Consistent use of the term Governance
  • Removal of Objective Statements after each clause or sub clause
  • Reference to Resources as being “human, technical, financial and information”
  • Requirement for a catalog of services
  • Requirements to create procedures and details of what they should contain 
  • Clearer content around the requirements.  Although the shalls are basically the same requirement, the wording and explanations are much more direct and leave less for interpretation.
  • Removed the term “Stakeholders” and replaced with “Interested Parties”
  • Repeated references that a service provider must plan, establish, implement, operate, monitor, review, maintain and improve the SMS and the requirements include the design, transition, delivery and improvement of services to fulfill service requirements.
  • Updated bibliography 

The table below provides a detailed correlation between the table of contents from the 2005 version to the table of contents on the 2011 version with a description of key changes.

ARE YOU ALREADY CERTIFIED?

If you already hold an ISO/IEC 20000-1:2005 certification, we will be issuing a transition plan for your organization to make any necessary changes to update your current set of requirements.  We expect the transition period to be over 18 months

IN THE PROCESS OF IMPLEMENTING ISO 20000?

If you are in the process of implementing ISO 20000 under the 2005 requirements, the progress is still valid.  Depending on your timeline for certification, you may still obtain your certification to the 2005 requirements.  Once we issue a transition plan, you will have a better understanding of when to make some of these changes.

Did the guidance document get updated?

The supporting guidance document, ISO/IEC 20000-2:2005 is currently under revision and is expected to be released later this year.  CAUTION to ensure you do not use it as an absolute reference to the new standard.

ISO 20000-1:2005 ISO 20000-1:2011 Additions/Changes
     
“Information Technology – Service management – Part 1:  Specification  “Information Technology – Service management – Part 1:  Service Management system requirements  
Forward and Introduction Forward and Introduction More detailed and includes reference to a Service Management System and integrated management systems.
1      Scope  1      Scope1.1   General1.2   Application Update figure for Service management system and includes closer verbiage to ITIL v3
  2 Normative References Aligns with ISO 9001:2008
2  Terms and Definitions15    terms included 3  Terms and Definitions37 terms included Many terms not include cross references and additional notations
3  Requirements for a Management System 4 Service management system general requirements  
3.1 Management Responsibility  4.1 Management responsibility4.1.1 Management commitment4.1.2 Service management policy4.1.3 Authority, responsibility and communication4.1.4 Management representative4.2 Governance of processes operated by other parties The new section breaks down more specific shalls according to the section header.4.1.4 provides more responsibility for the Management representative4.2 Provides more direct accountability or governance when service provider is reliant on other parties for the processes that are operated outside of the service provider itself
3.2 Documentation Requirements 4.3 Document management4.3.1 Establish and maintain documents4.3.2 Control of documents4.3.3 Control of records 4.3.1 details some of the required documents and now names a catalog of services as a required document.4.3.2, 4.3.3 Separated control of documents and control of records. 4.3.2 specifically details the requirement to create and approve documents.  Provides specific requirements.4.3.3 Specific requirement for the control of records including identification, storage and protection.
3.3 Competence Awareness Training  4.4 Resource management4.4.1 Provision of resource4.4.2 Human resources 4.4.1 Specifically states that the service provider shall determine and provide human, technical, information and financial resources to support the SMS.4.4.2 specifically for those with roles in the SMS are clearly defined  requirements  for competence, training and knowledge of their role in the SMS
4  Planning and Implementing service management4.1 Plan Service Management4.2 Implement Service Management4.3 Monitor, Measure Review4.4 Continuous Improvement4.41 Policy4.42 Management Improvements4.43 Activities  4.5 Establish and improve the SMS4.5.1 Define scope4.5.2 Plan the SMS (Plan)4.5.3 Implement and operate the SMS (Do)4.5.4 Monitor and review the SMS (Check)4.5.4.1 General4.5.4.2 Internal Audit4.5.4.3 Management Review4.5.5 Maintain and improve the SMS (Act)4.5.5.1 General

4.5.5.2 Management of Improvements

  4.5.1 requires that the scope is included in the Service Management plan. 4.5.2 replaces 4.1 with more direct language of what to include in the Service Management plan such as including known limitations that could affect the SMS.4.5.3 Separate out requirements for internal audit and management reviews4.5.5 Includes the term Corrective and Preventive action and makes reference to ISO 9001:20084.5.5.2 Detailed requirements for management of improvements and includes requirement to identify, document, evaluate, approve, prioritize, manage, measure and report improvements
5.0 Planning and Implementing New or Changed Services  5    Design and Transition of new or changed services5.1 General5.2 Plan new or changed services5.3 Design and development of new or changed services5.4 transition of new of changed services 5  Much clearer direction and requirements for the planning and transition of a new or changed service with specific reference to management of Configuration items.5.3 includes reference to documenting change technology and updates to the catalog of services. 5.4 requires a transition and inter-dependency to release and deployment
6  Service Delivery Process 6  Service Delivery Process  
6.1 Service Level Management 6.1 Service Level Management Further definition of what is included in an SLA.  Requirements of an agreed catalog of services. New reference to service components provided by an internal group or the customer and specific reference to review of these types of SLAs
6.2 Service Reporting 6.2 Service Reporting Addition of identification of the frequency of a service report..  Clearer descriptions of what a service report includes.
6.3 Service Continuity and Availability Management  6.3 Service Continuity and Availability Management6.3.1 Service Continuity and Availability requirements6.3.2 Service Continuity and Availability plans6.3.3 Service Continuity and Availability monitoring and testing 6.3.1 clearly requires a risk assessment against continuity and availability.6.3.2 clear requirements for contents of plans
6.4 Budgeting and Accounting for IT Services  6.4 Budgeting and accounting for services Removed the reference to ITExplicit requirements stating “There shall be policies and documented procedures for…”specific list for what is to be included.
6.5 Capacity Management  6.5 Capacity Management Additional guidance for capacity plan contents including a tie in to service continuity and availability.
6.6 Information Security Management 6.6 Information Security Management6.6.1 information security policy6.6.2 information security controls6.6.3 Information security changes and incidents 6.6.1 Clearer detail on what is included in the security policy and now includes a requirement that internal information security audits are conducted  6.6.2 defines controls in physical, administrative and technical. 
7 Relationship Process 7 Relationship Process  
7.1 General   Removed 7.1 General
7.2 Business Relationship Management 7.1 Business Relationship Management Renumber of sub clause. 7.1  requirement to identify and document the customers, users and interested parties of the services.  No reference to stakeholders. 
7.3 Supplier Management 7.2 Supplier Management Renumber of sub clause 7.2  Very clear requirements to what a supplier contract must include or reference
8 Resolution process 8 Resolution process  
8.1 Background   Removed 8.1 background
8.2 Incident Management 8.1 Incident and service request managements Added service request 8.1 defined procedure for incident.  Must have a named person responsible for managing a major incident.  Terms and definitions define incident and service request
8.3 Problem Management  8.2 Problem Management Requirement to create a procedure and details required elements
9 Control Processes 9  Control Processes  
9.1 Configuration Management 9.1 Configuration Management Clear requirements for the definition of a CI. 
9.2 Change Management 9.2 Change Management A requirement for a change management policy.  Requirements to control the types of changes with specific reference major impact changes to follow clause 5.  Requirement that states “Approved changes shall be developed and tested”
10 Release process   Removed clause 10 entirely.
10.1 Release management process  9.3 Release and Deployment management A clearer requirement that the release policy must be agreed to by the customer. 

 

The contents of this article was supported with input from Sally Smoczynski, a managing partner at Radian Compliance, LLC.   Radian Compliance provides implementation, internal audit and education for Service Management, Information Security and Business Continuity.  You may reach Sally at 630.728.7181 or ssmoczynski@radiancompliance.com.”

If applicable, please pass this information along to those information security management, service delivery and business relationship and risk management team members in your organization.

Photo courtesy of iqms.co.uk

Filed Under: IT Service Management, Standards & Best Practices Tagged With: , , , , , , , , , , ,

ISO/IEC 20000-1:2011 Standard Formally Released

April 15, 2011 By 3 Comments

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard.  There is now a revised standard, ISO/IEC 20000-1:2011.  It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986 

What does this mean for you???  

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid!  In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard.  It is usually an 18 months transition period. 

I have highlighted a few of the changes for you to consider:

  1. The updated standard refers to a Service Management System instead of an IT Service Management System.
  2. Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
  3. There are additional definitions in the glossary.
  4. There is more clarification in most sections
ISO/IEC 20000-1:2005                                                              ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management Clause 9.3 Release and Deployment Management

 

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com

Filed Under: IT Service Management, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , ,