In an earlier posting on this website concerning the International Organization of Standards (ISO) release of the new Service Management System standard — ISO/IEC 20000-1:2011(E) — Sally Smoczynski, one of this website’s contributing writers, gave us a condensed version of some of the highlights expressed in this new standard as compared to the previous standard — ISO/IEC 20000-1: 2005. And, as stated in that write-up — more information was yet to come. That information is now available.
Our staff is pleased to announce that Ms. Smoczynski has teamed up with Tim Woodcome, Conformity Assessment Director with the National Quality Assurance Registrar Group, NQA, and they have published a more complete article on this topic, entitled “ISO UPDATE: ISO 20000-1 HAS BEEN REVISED“.
The original document was posted on the NQA website just a few days ago, but, fortunately, with their permission, this website has been allowed to present this information to our readership via reference to that document …..(please see below)….
“ISO UPDATE: ISO 20000-1 HAS BEEN REVISED
On Friday, April 15, 2011, The international organization of standards (ISO) released the updated standard for Service Management with ISO/IEC 20000-1:2011(E). There are significant changes to the structure and wording of the requirements that takes away a lot of the interpretation which caused some confusion of the previous version ISO/IEC 20000-1:2005. This article attempts to provide you with the highlights of the changes. We encourage you to purchase the standard to fully understand the scope of the changes.
The most obvious change to the standard is the removal of the reference to this standard being an “IT Service Management System”. It is now referred to as a “Service Management System”. Some other highlights include:
- Terms and definitions have 37 definitions over the 15 in the 2005 version
- Consistent use of the term Governance
- Removal of Objective Statements after each clause or sub clause
- Reference to Resources as being “human, technical, financial and information”
- Requirement for a catalog of services
- Requirements to create procedures and details of what they should contain
- Clearer content around the requirements. Although the shalls are basically the same requirement, the wording and explanations are much more direct and leave less for interpretation.
- Removed the term “Stakeholders” and replaced with “Interested Parties”
- Repeated references that a service provider must plan, establish, implement, operate, monitor, review, maintain and improve the SMS and the requirements include the design, transition, delivery and improvement of services to fulfill service requirements.
- Updated bibliography
The table below provides a detailed correlation between the table of contents from the 2005 version to the table of contents on the 2011 version with a description of key changes.
ARE YOU ALREADY CERTIFIED?
If you already hold an ISO/IEC 20000-1:2005 certification, we will be issuing a transition plan for your organization to make any necessary changes to update your current set of requirements. We expect the transition period to be over 18 months
IN THE PROCESS OF IMPLEMENTING ISO 20000?
If you are in the process of implementing ISO 20000 under the 2005 requirements, the progress is still valid. Depending on your timeline for certification, you may still obtain your certification to the 2005 requirements. Once we issue a transition plan, you will have a better understanding of when to make some of these changes.
Did the guidance document get updated?
The supporting guidance document, ISO/IEC 20000-2:2005 is currently under revision and is expected to be released later this year. CAUTION to ensure you do not use it as an absolute reference to the new standard.
|ISO 20000-1:2005||ISO 20000-1:2011||Additions/Changes|
|“Information Technology – Service management – Part 1: Specification||“Information Technology – Service management – Part 1: Service Management system requirements|
|Forward and Introduction||Forward and Introduction||More detailed and includes reference to a Service Management System and integrated management systems.|
|1 Scope||1 Scope1.1 General1.2 Application||Update figure for Service management system and includes closer verbiage to ITIL v3|
|2 Normative References||Aligns with ISO 9001:2008|
|2 Terms and Definitions15 terms included||3 Terms and Definitions37 terms included||Many terms not include cross references and additional notations|
|3 Requirements for a Management System||4 Service management system general requirements|
|3.1 Management Responsibility||4.1 Management responsibility4.1.1 Management commitment4.1.2 Service management policy4.1.3 Authority, responsibility and communication4.1.4 Management representative4.2 Governance of processes operated by other parties||The new section breaks down more specific shalls according to the section header.4.1.4 provides more responsibility for the Management representative4.2 Provides more direct accountability or governance when service provider is reliant on other parties for the processes that are operated outside of the service provider itself|
|3.2 Documentation Requirements||4.3 Document management4.3.1 Establish and maintain documents4.3.2 Control of documents4.3.3 Control of records||4.3.1 details some of the required documents and now names a catalog of services as a required document.4.3.2, 4.3.3 Separated control of documents and control of records. 4.3.2 specifically details the requirement to create and approve documents. Provides specific requirements.4.3.3 Specific requirement for the control of records including identification, storage and protection.|
|3.3 Competence Awareness Training||4.4 Resource management4.4.1 Provision of resource4.4.2 Human resources||4.4.1 Specifically states that the service provider shall determine and provide human, technical, information and financial resources to support the SMS.4.4.2 specifically for those with roles in the SMS are clearly defined requirements for competence, training and knowledge of their role in the SMS|
|4 Planning and Implementing service management4.1 Plan Service Management4.2 Implement Service Management4.3 Monitor, Measure Review4.4 Continuous Improvement4.41 Policy4.42 Management Improvements4.43 Activities|| 4.5 Establish and improve the SMS4.5.1 Define scope4.5.2 Plan the SMS (Plan)4.5.3 Implement and operate the SMS (Do)4.5.4 Monitor and review the SMS (Check)18.104.22.168 General22.214.171.124 Internal Audit126.96.36.199 Management Review4.5.5 Maintain and improve the SMS (Act)188.8.131.52 General
184.108.40.206 Management of Improvements
|4.5.1 requires that the scope is included in the Service Management plan. 4.5.2 replaces 4.1 with more direct language of what to include in the Service Management plan such as including known limitations that could affect the SMS.4.5.3 Separate out requirements for internal audit and management reviews4.5.5 Includes the term Corrective and Preventive action and makes reference to ISO 9001:20084.5.5.2 Detailed requirements for management of improvements and includes requirement to identify, document, evaluate, approve, prioritize, manage, measure and report improvements|
|5.0 Planning and Implementing New or Changed Services||5 Design and Transition of new or changed services5.1 General5.2 Plan new or changed services5.3 Design and development of new or changed services5.4 transition of new of changed services||5 Much clearer direction and requirements for the planning and transition of a new or changed service with specific reference to management of Configuration items.5.3 includes reference to documenting change technology and updates to the catalog of services. 5.4 requires a transition and inter-dependency to release and deployment|
|6 Service Delivery Process||6 Service Delivery Process|
|6.1 Service Level Management||6.1 Service Level Management||Further definition of what is included in an SLA. Requirements of an agreed catalog of services. New reference to service components provided by an internal group or the customer and specific reference to review of these types of SLAs|
|6.2 Service Reporting||6.2 Service Reporting||Addition of identification of the frequency of a service report.. Clearer descriptions of what a service report includes.|
|6.3 Service Continuity and Availability Management||6.3 Service Continuity and Availability Management6.3.1 Service Continuity and Availability requirements6.3.2 Service Continuity and Availability plans6.3.3 Service Continuity and Availability monitoring and testing||6.3.1 clearly requires a risk assessment against continuity and availability.6.3.2 clear requirements for contents of plans|
|6.4 Budgeting and Accounting for IT Services||6.4 Budgeting and accounting for services||Removed the reference to ITExplicit requirements stating “There shall be policies and documented procedures for…”specific list for what is to be included.|
|6.5 Capacity Management||6.5 Capacity Management||Additional guidance for capacity plan contents including a tie in to service continuity and availability.|
|6.6 Information Security Management||6.6 Information Security Management6.6.1 information security policy6.6.2 information security controls6.6.3 Information security changes and incidents||6.6.1 Clearer detail on what is included in the security policy and now includes a requirement that internal information security audits are conducted 6.6.2 defines controls in physical, administrative and technical.|
|7 Relationship Process||7 Relationship Process|
|7.1 General||Removed 7.1 General|
|7.2 Business Relationship Management||7.1 Business Relationship Management||Renumber of sub clause. 7.1 requirement to identify and document the customers, users and interested parties of the services. No reference to stakeholders.|
|7.3 Supplier Management||7.2 Supplier Management||Renumber of sub clause 7.2 Very clear requirements to what a supplier contract must include or reference|
|8 Resolution process||8 Resolution process|
|8.1 Background||Removed 8.1 background|
|8.2 Incident Management||8.1 Incident and service request managements||Added service request 8.1 defined procedure for incident. Must have a named person responsible for managing a major incident. Terms and definitions define incident and service request|
|8.3 Problem Management||8.2 Problem Management||Requirement to create a procedure and details required elements|
|9 Control Processes||9 Control Processes|
|9.1 Configuration Management||9.1 Configuration Management||Clear requirements for the definition of a CI.|
|9.2 Change Management||9.2 Change Management||A requirement for a change management policy. Requirements to control the types of changes with specific reference major impact changes to follow clause 5. Requirement that states “Approved changes shall be developed and tested”|
|10 Release process||Removed clause 10 entirely.|
|10.1 Release management process||9.3 Release and Deployment management||A clearer requirement that the release policy must be agreed to by the customer.|
The contents of this article was supported with input from Sally Smoczynski, a managing partner at Radian Compliance, LLC. Radian Compliance provides implementation, internal audit and education for Service Management, Information Security and Business Continuity. You may reach Sally at 630.728.7181 or email@example.com.”
If applicable, please pass this information along to those information security management, service delivery and business relationship and risk management team members in your organization.
Photo courtesy of iqms.co.uk