Contents Introduction 3 Summary of the changes within ISO/IEC 20000-1:2011 3 Overview 3 Detail review 4 1. Scope 4 2. Normative references 4 3. Terms and defnitions 4 4. Service management system general requirements 4 5. Design and transition of new or changed services 5 6. Service delivery processes 5 7. Relationship processes 6 8. Resolution processes 6 9. Control processes 6-7 Appendix A 8 How to apply for and maintain Training Organization Approval and Training Course Certifcation IRCA 3000 WWW.IRCA.ORG Page 2 of 9 Copyright IRCA 2012 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic, mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certifcated Auditors (IRCA). Introduction Te International Register of Certifcated Auditors (IRCA) has prepared this briefng note to communicate to IRCA Certifcated Auditors, IRCA Approved Training Organizations and other interested parties our understanding of ISO/IEC 20000-1:2011. Te content of this briefng note is provided in good faith and is the opinion of IRCA. It should not be reproduced nor used for commercial purposes. IRCA Certifcated Auditors and IRCA Approved Training Organizations are advised to familiarise themselves with ISO/IEC 20000-1:2011. Te provision of IT services and the development of their underpinning Service Management Systems (SMS) has evolved considerably since the original standard was published in 2005. Te sector has evolved from provision of internal corporate IT systems and bespoke outsourcing of corporate IT systems toward one that embraces consumerization and ofers provision of more generic, utility IT services. Practices and methodologies such as ITIL have evolved alongside those developments. ISO/IEC 20000-1:2011 requirements and conformance controls have similarly changed to accommodate that. Te 2011 revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems Requirements and ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements, improving and enabling an integrated, process-based approach across disciplines as part of a business management system. Some may view the modifcations of ISO/IEC 20000- 1:2011 as a substantial change. Others may think it largely captures good practices already implemented. IRCAs view is that publication of ISO/IEC 20000-1:2011 provides organizations implementing IT Service Management Systems and organizations needing to conduct audits of IT Service Management Systems an opportunity to re-assess their own practices and identify improvement opportunities. Overview A principal constraint of ISO 20000-1:2005 when implementing or assessing the conformance of an IT Service Management System (ITSMS) was the number of mandated processes; these were often worded such that they required auditor interpretation and agreement with the auditee. Troughout ISO/IEC 20000-1:2011 many of these process requirements are replaced with explicitly mandated documented procedures. Many are extended with prescribed minimum attributes that improve clarity of review, understanding of intent and support conforming implementation. As an indicator of the extent of changes to conformance requirements it is interesting to note that: ISO 20000-1:2005 had 171 shall statements ISO 20000-1:2011 has 257 shall statements (+50% approximately). Te revision also reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 Quality management systems and ISO/IEC 27001:2005 Information security management systems. Auditors and assessors with experience of these standards will be familiar with the common themes and terminology. However those with experience only of ISO 20000-1:2005 may need to carefully review the current standard to ensure an appropriate understanding of revised conformance requirements. WWW.IRCA.ORG Page 3 of 9 IRCA Briefing note: ISO/IEC 20000:2011 Detail review Many clauses of ISO 20000-1:2005 began with a statement of the objective of that clause (though not clauses titled General or Background). Tese have been removed and do not appear in ISO/IEC 20000-1:2011. 1. Scope It is this section that confrms the applicability of the standard to the whole service management system lifecycle. Te general use cases described in 1.1 a) to f ) are derived and developed from those in ISO 20000-1:2005 to clarify the perspectives of the service provider, the organization seeking services from a provider and the assessor or auditor of conformity. Figure 2 the Service Management System diagram promotes a more consistent view of the relationship of elements of ISO/IEC 20000-1:2011. Most notably, the relationship with customers and other stakeholders is added. Te service management system requirements and design and transition of new or changed services are added as layers in the diagram to demonstrate their context and relationship with service delivery, resolution, relationship and control processes. Also of note, release and deployment management is subsumed into the category of control processes. Clause 1.2 Application is added documenting further clarifcation of requirements for conformance. Here it is acknowledged that parts of the service delivery (clauses 5 to 9) may be provided by other parties and that evidence of process governance from these sources is admissible. However, it is emphasised that service management responsibility, governance of other parties involved in service provision, documentation management, resource management and service establishment and improvement defned in clause 4 must be evidenced only by the service provider. No part of that clause may be delegated or contracted to another party. ISO/IEC TR 20000-3 provides additional guidance on scope defnition and applicability including further explanation about the governance of processes operated by other parties. 2. Normative references Tis empty clause is added only for the purpose of clause numbering alignment with ISO/IEC 20000-2. 3. Terms and defnitions As would be expected from a technical revision, there are now 37 defned terms in ISO /IEC 20000-1:2011 compared with the 15 listed in ISO 20000-1:2005. Many of the additional terms are adopted or adapted from ISO 9000:2005 Quality management systems Fundamentals and vocabulary, ISO 27000:2009 Information technology Security techniques Information security management systems Overview and vocabulary and others are consistent with ITIL v3 (although ISO/IEC 20000-1:2011 is independent of any specifc implementation methodology). For example, clause 3.11 defnes information security as preservation of confdentiality, integrity and accessibility of information. Accessibility is inconsistent with ISO 27000:2009 which uses the term availability, however accessibility is used here to avoid confict with the existing ISO/IEC 20000-1:2011 defnition of [IT service] availability as per clause 3.1 of this standard. Te improved consistency of terms used with other management systems standards is a welcome assistance enabling an integrated, process-based approach across disciplines. However before undertaking a conformity assessment, care is needed to thoroughly review the defned terms to ensure a common understanding of the idiosyncrasies of some adapted terms. 4. Service management system general requirements Te use of clause 4 to defne management system requirements reinforces alignment with other management system standards, particularly ISO/IEC 9001:2008 and ISO/ IEC 27001:2005. Clause 4 of this standard is an extensive redevelopment of clauses 3 and 4 of ISO 20000-1:2005, transferring the mature management system principles established by ISO 9001 into this standard. It is not a like-for-like adoption, however; while the requirements and terminology may be familiar, clause 4 of this standard amalgamates equivalent elements from a number of ISO 9001 (and, similarly, ISO 27001) clauses as outlined in Appendix A. 4.1 Management responsibility is a thorough re-work of ISO 20000-1:2005 clause 3.1, introducing a number of additional requirements. Top management commitment, policy management, authority and responsibility are specifed and the requirements of the Management Representative are defned in more detail. ISO 20000-1:2005 required mutual agreement of interpretation of the term supplier when assessing conformance of service delivery dependencies through the supplier management clause (supplier was not a defned term in that standard, although clause 7.2 Figure 3 indicated an intention to consider only external suppliers). ISO/IEC 20000-1:2011 introduces clause 4.2 Governance of processes operated by other parties to acknowledge and clarify the range of parties involved in contributing to successful service delivery (internal service provider groups, external suppliers or customer contributions). Further, you will recall from clause 1.2 that a service provider cannot rely on evidence of the governance of processes operated by other parties for the requirements in Clause 4: Conformance now requires the service provider to demonstrate both an awareness of the range of service delivery dependencies and governance of those concerns. ISO/IEC TR 20000-3 provides further guidance about the governance of processes operated by other parties. Clause 4.3 Documentation management defnes a more prescribed documentation set for the SMS and introduces formalised document and record controls. A notable addition is the explicit requirement to document a catalogue of services as a separate and distinct document from the Service Level Agreement (SLA); this foundation document is referred to again in support of service design and its purpose clarifed in clause 6.1 Service level management. 4.4 Resource management clarifes the SMS defnition of WWW.IRCA.ORG Page 4 of 9 resources (omitted from clause 2) as human, technical, information and fnancial resources with the conformance requirements for determination and provision of these. 4.5 Service management system planning and implementation, derived from ISO 20000-1:2005 clause 4, has been re-worked in this standard. While the principles and structural outline have been maintained, there are numerous detailed requirement changes throughout which remove many points of ambiguity and interpretation and enable improved consistency of application. For example, the service management plan shall now contain or reference... ..statutory and regulatory requirements... and ...criteria for accepting risks, analogous to ISO 27001 information security management system control requirements. Due to the broad and detailed redevelopment, a thorough review of clause 4 is required to become familiar with and understand the revised and new conformance requirements. 5. Design and transition of new or changed services Practices and requirements defned by ISO 20000-1:2005 clause 5 have been reworked and expanded to create clause 5 in this standard. Clause 5.1 re-emphasises change management as the prime controlling process. While acknowledging that the planning and design of new or changed services may result in some proposed changes that are rejected, the clause makes clear that the service provider shall take necessary actions to ensure that the remaining accepted changes are sufcient to perform the new or changed service efectively (an indirect conformance requirement for post-change efectiveness monitoring and review that is made more explicitly in clause 9.2). Clauses 5.2 and 5.3 list quite comprehensive requirements for planning, design and development of new or changed services including specifc requirements for services that are to be removed (mothballed, closed or retired) and due diligence of dependencies with other parties contributing to the provision of service components. 5.4 Transition of new or changed services redefnes requirements for pre-deployment service testing against service provider and stakeholder pre-agreed acceptance criteria, use of the revised release and deployment control process to migrate the service into the live environment and a post-deployment review against expected outcomes. 6. Service delivery processes Te overall structure and purpose of this clause remains unchanged. However, a detailed review reveals many additional conformance requirements where ISO 20000- 1:2005 statements have been clarifed and refned. More signifcant changes are outlined below. Tere are two notable changes to clause 6.1 Service level management. Te frst change updates the ISO 20000-1:2005 requirement that each service was to be defned, agreed and documented in one or more SLAs. ISO/IEC 20000-1:2011 recognises that a customer may contract a portfolio of IT services from a provider and that these shall now be be defned in a catalogue of services for that customer that includes the dependencies between services and service components. Tis is then supplemented with one or more SLAs for each of the services being delivered. Te other change echoes Governance of processes operated by other parties (clause 4.2): Distinct from supplier management (addressed later in clause 7.2), the fnal paragraph of clause 6.1 mandates governance requirements for service components provided by an internal group or the customer. Clause 6.2 Service reporting is broadly unchanged in principle, however the conformance requirements for service report context and content is more prescribed. 6.3 Service continuity and availability management has been expanded and logically restructured into three sub- clauses with clarifed conformance requirements as follows. Clause 6.3.1 Service continuity and availability requirements re-emphasises risk assessment of service continuity and availability as the frst step in identifying and agreeing requirements with the customer and other interested parties. However in assessing the conformance of a service provider that delivers a standardised service to a range of customers, the continuity and availability of that service would be risk-assessed and service level targets committed as part of the pre-contract service specifcation and SLA ofered to those customers. Te commercial contract would then constitute customer agreement to those prescribed continuity and availability commitments. 6.3.2 Service continuity and availability plans does not continue the former requirement to ensure that requirements are met as agreed in all circumstances as that contradicted the risk-based nature of service continuity and availability management. Te clause does prescribe service continuity plan and service availability plan content, with the note that these plans may be combined into one document. 6.3.3 Service continuity and availability monitoring and testing drops the requirement to review the plans at least annually; Tis standard takes an event-driven approach to mandate review after testing the plans or after invoking the service continuity plan. As previously, Service continuity and availability plans shall be re-tested after major changes to the service environment. Further, the tests are to be conducted against continuity and availability requirements, results recorded and reviewed, necessary actions taken and the result of those actions reported. 6.4 Budgeting and accounting for services remains broadly unchanged although the revised layout and wording aids clarifcation. One notable addition is the requirement for a defned interface between the budgeting and accounting for services process and other fnancial management processes. Similarly, 6.5 Capacity management generally replicates the previous version of the standard, though again there are subtle changes. Te scope of resources to be managed WWW.IRCA.ORG Page 5 of 9 is explicitly listed as human, technical, information and fnancial resources. Further, there is a subtle change of wording that mandates the required outcome: ISO 20000-1:2005 stated that Methods, procedures and techniques shall be identifed to monitor service capacity, tune service performance and provide adequate capacity. An arguable interpretation of this statement is that the provider could identify methods, procedures and techniques without actually committing to use these to provide adequate capacity. ISO/IEC 20000-1:2011 requires quite unambiguously that Te service provider shall provide sufcient capacity to fulfl agreed capacity and performance requirements. 6.6 Information security management has been reworked to improve alignment with the requirements of ISO 27001. It has been divided into clauses covering information security policy, [risk] controls and change and incident management. Te new policy and control requirements, although lightweight compared with ISO 27001, are more prescriptive than the previous version of this standard and may challenge some organizations that have not implemented an information security management system conforming to ISO 27001. In comparison, 6.6.3 Information security changes and incidents should be less challenging as this generally replicates the requirements of the previous version of this standard to integrate information security management into existing change management, incident management and improvement processes. 7. Relationship processes Te overall structure and content of this clause remains unchanged, though there are some detailed changes. 7.1 Business relationship management has more focus upon the customer and is less prescriptive about the relationship with other stakeholders. Te annual service review specifed in ISO 20000-1:2005 has been replaced in this standard by the requirement for an unspecifed communication mechanism, enabling a variety of arrangements from an annual review to a continuous, on-demand review tailored to business requirements. Te purpose of this communication is defned, though the wording is a little ambiguous; a reasonable interpretation is recommended as to promote [mutual] understanding of the business environment in which the services operate and requirements for new or changed services. Tis would enable, for example: the service provider to remain aware of the customers business and operational environment and requirements for change arising from the customer, and the service provider to respond to changes in their own strategic and commercial environment and improve, adjust or replace elements of a generic service provided to a number of customers. Whilst the requirements for management of customer complaints remains unchanged, customer satisfaction now takes a pragmatic view and enables measurements and analysis based on a representative sample of the customers and users of the services. 7.2 Supplier management now documents a prescriptive list of elements that must be included or referenced in a supplier contract. Te annual major review of the [supplier] contract or formal agreement specifed in ISO 20000-1:2005 has been replaced with the more passive requirement to monitor the performance of the supplier at planned intervals. Of particular note are the replacement of two process requirements with: the requirement for the supplier contract to defne or reference activities and responsibilities for termination of the contract and the transfer of services to a diferent party, ensuring that this is proactively addressed and documented before the need for transfer or termination arises, and the requirement for a documented procedure to manage contractual disputes. 8. Resolution processes 8.1 Incident and service request management acknowledges contemporary practice in many organizations to process incident reports and service change requests through one customer-facing unit and one common process; in this standard, the administration of service requests is lifted out of the Change management clause and placed here. Te standard requires the incident and service request management process to be defned by two separate documented procedures for incident and service request lifecycle management from recording to closure. Information to be made available to personnel performing the process is prescribed and includes information from the Release and deployment management process. Te fnal paragraph prescribes how Major incidents are now to be managed using a documented procedure. 8.2 Problem management remains broadly unchanged although the revised layout and wording aids clarity. One notable improvement is the explicit acknowledgement that not all problems are permanently resolvable; commercial, technical or external constraints may prevent that from happening. Te clause now states that where the root cause has been identifed, but the problem has not been permanently resolved, the service provider shall identify actions to reduce or eliminate the impact of the problem on the services. 9. Control processes Confguration and change management clauses are signifcantly more prescriptive in this version of the standard. 9.1 Confguration management requirement changes include: minimum mandatory asset information felds for each CI in the CMDB, a documented procedure for recording, controlling and tracking versions of CIs that incorporates asset-risk-based control, master copies of CIs recorded in the CMDB shall be stored WWW.IRCA.ORG Page 6 of 9 in secure physical or electronic libraries referenced by the confguration records, audit of the records stored in the CMDB at planned intervals. 9.2 Change management requirement changes include: minimum change management policy content, Removal or transfer of a service shall be classifed as a change to a service with the potential to have a major impact, a documented procedure to record, classify, assess and approve requests for change, a documented procedure for managing emergency changes. Te requirements to manage requests for change are similarly more robust as follows: Requests for change classifed as having the potential to have a major impact on the services or the customer shall be managed using the design and transition of new or changed services process. All other requests for change to CIs defned in the change management policy shall be managed using the change management process. Te service provider and interested parties shall make decisions on the acceptance of requests for change Te activities required to reverse or remedy an unsuccessful change shall be planned and, where possible, tested. Te service provider shall review changes for efectiveness (ISO 20000-1:2005 required only that changes shall be reviewed for success). 9.3 Release and deployment management, now recognised as a control process, has an overall purpose and content that remains unchanged, although there are some detailed changes. Notable additional requirements are as follows. Tere is now an explicit requirement to coordinate the deployment plan with the change management process and include references to the related requests for change, known errors and problems which are being closed through the release. Planning must also include the dates for deployment of each release, the associated deliverables and intended methods of deployment. Te defnition of an emergency release must be documented and the release managed according to a documented procedure that interfaces to the emergency change procedure. For each release, acceptance criteria for the release must be agreed with the customer and interested parties. Prior to deployment, the release must be verifed against the agreed acceptance criteria and approved. If the criteria are not met, the customer and interested parties must be involved in the decision about what actions are necessary to proceed. WWW.IRCA.ORG Page 7 of 9 WWW.IRCA.ORG Page 8 of 9 Appendix A Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001. ISO 20000:2011 ISO 9001:2008 ISO 27001:2005 4.1 Management responsibility 5 Management responsibility 5 Management responsibility 4.1.1 Management commitment 5.1 Management commitment 5.1 Management commitment 4.1.2 Service management policy 5.3 Quality policy 4.2.1 b) Defne an ISMS policy... 4.1.3 Authority, responsibility and communication 5.5 Responsibility, authority and communication 5.1 c) establishing roles and responsibilities for information security and Annex A control 1 A.6.1.2 (approximate correlation) 4.1.4 Management representative 5.5.2 Management representative 5.1 c) establishing roles and responsibilities for information security and Annex A controls 1 A.6.1.1 & A.6.1.2 (approximate correlation) 4.2 Governance of processes operated by other parties 7.4 Purchasing (approximate correlation) Numerous Annex A controls 1 , particularly A.6.1.2 to A.6.1.6 and A.6.2 (approximate correlation) 4.3 Documentation management 4.2 Documentation requirements 4.3 Documentation requirements 4.3.1 Establish and maintain documents 4.2.1 General 4.3.1 General 4.3.2 Control of documents 4.2.3 Control of documents 4.3.2 Control of documents 4.3.3 Control of records 4.2.4 Control of records 4.3.3 Control of records 4.4 Resource management 6 Resource management 5.2 Resource management 4.4.1 Provision of resources 6.1 Provision of resources 5.2.1 Provision of resources 4.4.2 Human resources 6.2 Human resources 5.2.2 Training, awareness and competence 4.5 Establish and improve the SMS Numerous references (as below) 4.2 Establishing and managing the ISMS 4.5.1 Defne scope 4.4.2 a) Quality manual QMS scope defnition 4.2.1 a) Defne the scope and boundaries of the ISMS 4.5.2 Plan the SMS (Plan) 5.4.2 Quality management system planning 4.2.1 b) Defne an ISMS policy, through to j) Prepare a Statement of Applicability (approximate correlation) 4.5.3 Implement and operate the SMS (Do) 4.1 General requirements (approximate correlation) 4.2.2 Implement and operate the ISMS 4.5.4 Monitor and review the SMS (Check) 5.6 Management review 4.2.3 Monitor and review the ISMS 4.5.4.1 General 8.1 Measurement, analysis and improvement - general 4.2.3 Monitor and review the ISMS 4.5.4.2 Internal audit 8.2.2 Internal audit 6 Internal ISMS audits 4.5.4.3 Management review 5.6 Management review 7 Management review of the ISMS 4.5.5 Maintain and improve the SMS (Act) 8.5 Improvement 8 ISMS improvement 4.5.5.1 General 8.5.1 Continual improvement 8.1 Continual improvement 4.5.5.2 Management of improvements 5.6 Management review 7 Management review of the ISMS, supplemented by 4.2.1 d) Identify the risks to i) Obtain management authorization (approximate correlation) 1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defned scope of the Information Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defned in A.6.1. International Register of Certifcated Auditors (IRCA) 2nd Floor North Chancery Exchange 10 Furnival Street London EC4A 1AB United Kingdom Email: irca@irca.org Tel: +44 (0) 20 7245 6833 Fax: +44 (0) 20 7245 6755 WWW.IRCA.ORG