IRCA Briefng note

ISO/IEC 20000-1: 2011

Contents
Introduction 3
Summary of the changes within ISO/IEC 20000-1:2011 3
Overview 3
Detail review 4
1. Scope 4
2. Normative references 4
3. Terms and defnitions 4
4. Service management system general requirements 4
5. Design and transition of new or changed services 5
6. Service delivery processes 5
7. Relationship processes 6
8. Resolution processes 6
9. Control processes 6-7
Appendix A 8
How to apply for and maintain Training Organization Approval and Training Course Certifcation IRCA 3000
WWW.IRCA.ORG Page 2 of 9
Copyright IRCA 2012
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means electronic,
mechanical, photocopying, recording or otherwise without prior permission of the International Register of Certifcated Auditors (IRCA).
Introduction
Te International Register of Certifcated Auditors (IRCA)
has prepared this briefng note to communicate to IRCA
Certifcated Auditors, IRCA Approved Training Organizations
and other interested parties our understanding of ISO/IEC
20000-1:2011.
Te content of this briefng note is provided in good faith
and is the opinion of IRCA. It should not be reproduced nor
used for commercial purposes. IRCA Certifcated Auditors
and IRCA Approved Training Organizations are advised to
familiarise themselves with ISO/IEC 20000-1:2011.
Te provision of IT services and the development of their
underpinning Service Management Systems (SMS) has
evolved considerably since the original standard was
published in 2005. Te sector has evolved from provision
of internal corporate IT systems and bespoke outsourcing
of corporate IT systems toward one that embraces
consumerization and ofers provision of more generic,
utility IT services. Practices and methodologies such as
ITIL have evolved alongside those developments. ISO/IEC
20000-1:2011 requirements and conformance controls have
similarly changed to accommodate that.
Te 2011 revision also reinforces alignment with other
management system standards, particularly ISO/IEC
9001:2008 Quality management systems Requirements
and ISO/IEC 27001:2005 Information technology Security
techniques Information security management systems
Requirements, improving and enabling an integrated,
process-based approach across disciplines as part of a
business management system.
Some may view the modifcations of ISO/IEC 20000-
1:2011 as a substantial change. Others may think it largely
captures good practices already implemented. IRCAs
view is that publication of ISO/IEC 20000-1:2011 provides
organizations implementing IT Service Management Systems
and organizations needing to conduct audits of IT Service
Management Systems an opportunity to re-assess their own
practices and identify improvement opportunities.
Overview
A principal constraint of ISO 20000-1:2005 when
implementing or assessing the conformance of an IT Service
Management System (ITSMS) was the number of mandated
processes; these were often worded such that they required
auditor interpretation and agreement with the auditee.
Troughout ISO/IEC 20000-1:2011 many of these process
requirements are replaced with explicitly mandated
documented procedures. Many are extended with
prescribed minimum attributes that improve clarity of
review, understanding of intent and support conforming
implementation. As an indicator of the extent of changes to
conformance requirements it is interesting to note that:
ISO 20000-1:2005 had 171 shall statements
ISO 20000-1:2011 has 257 shall statements (+50%
approximately).
Te revision also reinforces alignment with other
management system standards, particularly ISO/IEC
9001:2008 Quality management systems and ISO/IEC
27001:2005 Information security management systems.
Auditors and assessors with experience of these standards
will be familiar with the common themes and terminology.
However those with experience only of ISO 20000-1:2005
may need to carefully review the current standard to ensure
an appropriate understanding of revised conformance
requirements.
WWW.IRCA.ORG Page 3 of 9
IRCA Briefing note: ISO/IEC 20000:2011
Detail review
Many clauses of ISO 20000-1:2005 began with a statement
of the objective of that clause (though not clauses titled
General or Background). Tese have been removed and do
not appear in ISO/IEC 20000-1:2011.
1. Scope
It is this section that confrms the applicability of the standard
to the whole service management system lifecycle.
Te general use cases described in 1.1 a) to f ) are derived
and developed from those in ISO 20000-1:2005 to clarify
the perspectives of the service provider, the organization
seeking services from a provider and the assessor or auditor
of conformity.
Figure 2 the Service Management System diagram
promotes a more consistent view of the relationship of
elements of ISO/IEC 20000-1:2011. Most notably, the
relationship with customers and other stakeholders is
added. Te service management system requirements and
design and transition of new or changed services are added
as layers in the diagram to demonstrate their context and
relationship with service delivery, resolution, relationship
and control processes. Also of note, release and deployment
management is subsumed into the category of control
processes.
Clause 1.2 Application is added documenting further
clarifcation of requirements for conformance. Here it is
acknowledged that parts of the service delivery (clauses 5
to 9) may be provided by other parties and that evidence
of process governance from these sources is admissible.
However, it is emphasised that service management
responsibility, governance of other parties involved in
service provision, documentation management, resource
management and service establishment and improvement
defned in clause 4 must be evidenced only by the service
provider. No part of that clause may be delegated or
contracted to another party. ISO/IEC TR 20000-3 provides
additional guidance on scope defnition and applicability
including further explanation about the governance of
processes operated by other parties.
2. Normative references
Tis empty clause is added only for the purpose of clause
numbering alignment with ISO/IEC 20000-2.
3. Terms and defnitions
As would be expected from a technical revision, there are
now 37 defned terms in ISO /IEC 20000-1:2011 compared
with the 15 listed in ISO 20000-1:2005. Many of the additional
terms are adopted or adapted from ISO 9000:2005 Quality
management systems Fundamentals and vocabulary, ISO
27000:2009 Information technology Security techniques
Information security management systems Overview and
vocabulary and others are consistent with ITIL v3 (although
ISO/IEC 20000-1:2011 is independent of any specifc
implementation methodology).
For example, clause 3.11 defnes information security as
preservation of confdentiality, integrity and accessibility
of information. Accessibility is inconsistent with ISO
27000:2009 which uses the term availability, however
accessibility is used here to avoid confict with the existing
ISO/IEC 20000-1:2011 defnition of [IT service] availability
as per clause 3.1 of this standard.
Te improved consistency of terms used with other
management systems standards is a welcome assistance
enabling an integrated, process-based approach across
disciplines. However before undertaking a conformity
assessment, care is needed to thoroughly review the
defned terms to ensure a common understanding of the
idiosyncrasies of some adapted terms.
4. Service management system general requirements
Te use of clause 4 to defne management system
requirements reinforces alignment with other management
system standards, particularly ISO/IEC 9001:2008 and ISO/
IEC 27001:2005.
Clause 4 of this standard is an extensive redevelopment of
clauses 3 and 4 of ISO 20000-1:2005, transferring the mature
management system principles established by ISO 9001 into
this standard. It is not a like-for-like adoption, however;
while the requirements and terminology may be familiar,
clause 4 of this standard amalgamates equivalent elements
from a number of ISO 9001 (and, similarly, ISO 27001) clauses
as outlined in Appendix A.
4.1 Management responsibility is a thorough re-work of ISO
20000-1:2005 clause 3.1, introducing a number of additional
requirements. Top management commitment, policy
management, authority and responsibility are specifed and
the requirements of the Management Representative are
defned in more detail.
ISO 20000-1:2005 required mutual agreement of
interpretation of the term supplier when assessing
conformance of service delivery dependencies through the
supplier management clause (supplier was not a defned
term in that standard, although clause 7.2 Figure 3 indicated
an intention to consider only external suppliers). ISO/IEC
20000-1:2011 introduces clause 4.2 Governance of processes
operated by other parties to acknowledge and clarify the
range of parties involved in contributing to successful service
delivery (internal service provider groups, external suppliers
or customer contributions). Further, you will recall from
clause 1.2 that a service provider cannot rely on evidence
of the governance of processes operated by other parties for
the requirements in Clause 4: Conformance now requires
the service provider to demonstrate both an awareness of
the range of service delivery dependencies and governance
of those concerns. ISO/IEC TR 20000-3 provides further
guidance about the governance of processes operated by
other parties.
Clause 4.3 Documentation management defnes a more
prescribed documentation set for the SMS and introduces
formalised document and record controls. A notable
addition is the explicit requirement to document a catalogue
of services as a separate and distinct document from the
Service Level Agreement (SLA); this foundation document is
referred to again in support of service design and its purpose
clarifed in clause 6.1 Service level management.
4.4 Resource management clarifes the SMS defnition of
WWW.IRCA.ORG Page 4 of 9
resources (omitted from clause 2) as human, technical,
information and fnancial resources with the conformance
requirements for determination and provision of these.
4.5 Service management system planning and
implementation, derived from ISO 20000-1:2005 clause 4,
has been re-worked in this standard. While the principles
and structural outline have been maintained, there are
numerous detailed requirement changes throughout which
remove many points of ambiguity and interpretation and
enable improved consistency of application. For example, the
service management plan shall now contain or reference...
..statutory and regulatory requirements... and ...criteria for
accepting risks, analogous to ISO 27001 information security
management system control requirements.
Due to the broad and detailed redevelopment, a thorough
review of clause 4 is required to become familiar with and
understand the revised and new conformance requirements.
5. Design and transition of new or changed services
Practices and requirements defned by ISO 20000-1:2005
clause 5 have been reworked and expanded to create clause 5
in this standard.
Clause 5.1 re-emphasises change management as the prime
controlling process. While acknowledging that the planning
and design of new or changed services may result in some
proposed changes that are rejected, the clause makes clear
that the service provider shall take necessary actions to
ensure that the remaining accepted changes are sufcient to
perform the new or changed service efectively (an indirect
conformance requirement for post-change efectiveness
monitoring and review that is made more explicitly in clause
9.2).
Clauses 5.2 and 5.3 list quite comprehensive requirements
for planning, design and development of new or changed
services including specifc requirements for services that
are to be removed (mothballed, closed or retired) and due
diligence of dependencies with other parties contributing to
the provision of service components.
5.4 Transition of new or changed services redefnes
requirements for pre-deployment service testing against
service provider and stakeholder pre-agreed acceptance
criteria, use of the revised release and deployment control
process to migrate the service into the live environment and a
post-deployment review against expected outcomes.
6. Service delivery processes
Te overall structure and purpose of this clause remains
unchanged. However, a detailed review reveals many
additional conformance requirements where ISO 20000-
1:2005 statements have been clarifed and refned. More
signifcant changes are outlined below.
Tere are two notable changes to clause 6.1 Service level
management.
Te frst change updates the ISO 20000-1:2005 requirement
that each service was to be defned, agreed and documented
in one or more SLAs. ISO/IEC 20000-1:2011 recognises
that a customer may contract a portfolio of IT services
from a provider and that these shall now be be defned in a
catalogue of services for that customer that includes the
dependencies between services and service components. Tis
is then supplemented with one or more SLAs for each of the
services being delivered.
Te other change echoes Governance of processes operated
by other parties (clause 4.2): Distinct from supplier
management (addressed later in clause 7.2), the fnal
paragraph of clause 6.1 mandates governance requirements
for service components provided by an internal group or the
customer.
Clause 6.2 Service reporting is broadly unchanged in
principle, however the conformance requirements for service
report context and content is more prescribed.
6.3 Service continuity and availability management has
been expanded and logically restructured into three sub-
clauses with clarifed conformance requirements as follows.
Clause 6.3.1 Service continuity and availability
requirements re-emphasises risk assessment of service
continuity and availability as the frst step in identifying
and agreeing requirements with the customer and other
interested parties. However in assessing the conformance
of a service provider that delivers a standardised service
to a range of customers, the continuity and availability of
that service would be risk-assessed and service level targets
committed as part of the pre-contract service specifcation
and SLA ofered to those customers. Te commercial
contract would then constitute customer agreement to those
prescribed continuity and availability commitments.
6.3.2 Service continuity and availability plans does not
continue the former requirement to ensure that requirements
are met as agreed in all circumstances as that contradicted
the risk-based nature of service continuity and availability
management. Te clause does prescribe service continuity
plan and service availability plan content, with the note that
these plans may be combined into one document.
6.3.3 Service continuity and availability monitoring and
testing drops the requirement to review the plans at least
annually; Tis standard takes an event-driven approach to
mandate review after testing the plans or after invoking the
service continuity plan. As previously, Service continuity and
availability plans shall be re-tested after major changes to the
service environment. Further, the tests are to be conducted
against continuity and availability requirements, results
recorded and reviewed, necessary actions taken and the
result of those actions reported.
6.4 Budgeting and accounting for services remains broadly
unchanged although the revised layout and wording aids
clarifcation. One notable addition is the requirement for a
defned interface between the budgeting and accounting for
services process and other fnancial management processes.
Similarly, 6.5 Capacity management generally replicates
the previous version of the standard, though again there
are subtle changes. Te scope of resources to be managed
WWW.IRCA.ORG Page 5 of 9
is explicitly listed as human, technical, information and
fnancial resources. Further, there is a subtle change of
wording that mandates the required outcome:
ISO 20000-1:2005 stated that Methods, procedures and
techniques shall be identifed to monitor service capacity,
tune service performance and provide adequate capacity.
An arguable interpretation of this statement is that the
provider could identify methods, procedures and techniques
without actually committing to use these to provide
adequate capacity.
ISO/IEC 20000-1:2011 requires quite unambiguously
that Te service provider shall provide sufcient capacity to
fulfl agreed capacity and performance requirements.
6.6 Information security management has been reworked
to improve alignment with the requirements of ISO 27001. It
has been divided into clauses covering information security
policy, [risk] controls and change and incident management.
Te new policy and control requirements, although
lightweight compared with ISO 27001, are more prescriptive
than the previous version of this standard and may
challenge some organizations that have not implemented an
information security management system conforming to ISO
27001.
In comparison, 6.6.3 Information security changes and
incidents should be less challenging as this generally
replicates the requirements of the previous version of this
standard to integrate information security management into
existing change management, incident management and
improvement processes.
7. Relationship processes
Te overall structure and content of this clause remains
unchanged, though there are some detailed changes.
7.1 Business relationship management has more focus
upon the customer and is less prescriptive about the
relationship with other stakeholders.
Te annual service review specifed in ISO 20000-1:2005
has been replaced in this standard by the requirement for an
unspecifed communication mechanism, enabling a variety
of arrangements from an annual review to a continuous,
on-demand review tailored to business requirements.
Te purpose of this communication is defned, though the
wording is a little ambiguous; a reasonable interpretation
is recommended as to promote [mutual] understanding of
the business environment in which the services operate and
requirements for new or changed services. Tis would enable,
for example:
the service provider to remain aware of the customers
business and operational environment and requirements
for change arising from the customer, and
the service provider to respond to changes in their own
strategic and commercial environment and improve, adjust
or replace elements of a generic service provided to a
number of customers.
Whilst the requirements for management of customer
complaints remains unchanged, customer satisfaction now
takes a pragmatic view and enables measurements and
analysis based on a representative sample of the customers
and users of the services.
7.2 Supplier management now documents a prescriptive list
of elements that must be included or referenced in a supplier
contract.
Te annual major review of the [supplier] contract or
formal agreement specifed in ISO 20000-1:2005 has been
replaced with the more passive requirement to monitor the
performance of the supplier at planned intervals.
Of particular note are the replacement of two process
requirements with:
the requirement for the supplier contract to defne or
reference activities and responsibilities for termination of
the contract and the transfer of services to a diferent party,
ensuring that this is proactively addressed and documented
before the need for transfer or termination arises, and
the requirement for a documented procedure to manage
contractual disputes.
8. Resolution processes
8.1 Incident and service request management
acknowledges contemporary practice in many organizations
to process incident reports and service change requests
through one customer-facing unit and one common process;
in this standard, the administration of service requests is
lifted out of the Change management clause and placed
here.
Te standard requires the incident and service request
management process to be defned by two separate
documented procedures for incident and service request
lifecycle management from recording to closure. Information
to be made available to personnel performing the process is
prescribed and includes information from the Release and
deployment management process.
Te fnal paragraph prescribes how Major incidents are now
to be managed using a documented procedure.
8.2 Problem management remains broadly unchanged
although the revised layout and wording aids clarity. One
notable improvement is the explicit acknowledgement that
not all problems are permanently resolvable; commercial,
technical or external constraints may prevent that from
happening. Te clause now states that where the root cause
has been identifed, but the problem has not been permanently
resolved, the service provider shall identify actions to reduce or
eliminate the impact of the problem on the services.
9. Control processes
Confguration and change management clauses are
signifcantly more prescriptive in this version of the standard.
9.1 Confguration management requirement changes
include:
minimum mandatory asset information felds for each CI in
the CMDB,
a documented procedure for recording, controlling and
tracking versions of CIs that incorporates asset-risk-based
control,
master copies of CIs recorded in the CMDB shall be stored
WWW.IRCA.ORG Page 6 of 9
in secure physical or electronic libraries referenced by the
confguration records,
audit of the records stored in the CMDB at planned
intervals.
9.2 Change management requirement changes include:
minimum change management policy content,
Removal or transfer of a service shall be classifed as a
change to a service with the potential to have a major
impact,
a documented procedure to record, classify, assess and
approve requests for change,
a documented procedure for managing emergency changes.
Te requirements to manage requests for change are similarly
more robust as follows:
Requests for change classifed as having the potential to
have a major impact on the services or the customer shall
be managed using the design and transition of new or
changed services process. All other requests for change
to CIs defned in the change management policy shall be
managed using the change management process.
Te service provider and interested parties shall make
decisions on the acceptance of requests for change
Te activities required to reverse or remedy an unsuccessful
change shall be planned and, where possible, tested.
Te service provider shall review changes for efectiveness
(ISO 20000-1:2005 required only that changes shall be
reviewed for success).
9.3 Release and deployment management, now recognised
as a control process, has an overall purpose and content
that remains unchanged, although there are some detailed
changes. Notable additional requirements are as follows.
Tere is now an explicit requirement to coordinate the
deployment plan with the change management process and
include references to the related requests for change, known
errors and problems which are being closed through the
release. Planning must also include the dates for deployment
of each release, the associated deliverables and intended
methods of deployment.
Te defnition of an emergency release must be documented
and the release managed according to a documented
procedure that interfaces to the emergency change procedure.
For each release, acceptance criteria for the release must
be agreed with the customer and interested parties. Prior to
deployment, the release must be verifed against the agreed
acceptance criteria and approved. If the criteria are not met,
the customer and interested parties must be involved in the
decision about what actions are necessary to proceed.
WWW.IRCA.ORG Page 7 of 9
WWW.IRCA.ORG Page 8 of 9
Appendix A
Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001.
ISO 20000:2011 ISO 9001:2008 ISO 27001:2005
4.1 Management responsibility 5 Management responsibility 5 Management responsibility
4.1.1 Management commitment 5.1 Management commitment 5.1 Management commitment
4.1.2 Service management policy 5.3 Quality policy 4.2.1 b) Defne an ISMS policy...
4.1.3 Authority, responsibility and
communication
5.5 Responsibility, authority and
communication
5.1 c) establishing roles and
responsibilities for information
security and Annex A control
1
A.6.1.2
(approximate correlation)
4.1.4 Management representative 5.5.2 Management representative 5.1 c) establishing roles and
responsibilities for information security
and Annex A controls
1
A.6.1.1 & A.6.1.2
(approximate correlation)
4.2 Governance of processes operated
by other parties
7.4 Purchasing (approximate
correlation)
Numerous Annex A controls
1
,
particularly A.6.1.2 to A.6.1.6 and
A.6.2 (approximate correlation)
4.3 Documentation management 4.2 Documentation requirements 4.3 Documentation requirements
4.3.1 Establish and maintain documents 4.2.1 General 4.3.1 General
4.3.2 Control of documents 4.2.3 Control of documents 4.3.2 Control of documents
4.3.3 Control of records 4.2.4 Control of records 4.3.3 Control of records
4.4 Resource management 6 Resource management 5.2 Resource management
4.4.1 Provision of resources 6.1 Provision of resources 5.2.1 Provision of resources
4.4.2 Human resources 6.2 Human resources 5.2.2 Training, awareness and
competence
4.5 Establish and improve the SMS Numerous references (as below) 4.2 Establishing and managing the
ISMS
4.5.1 Defne scope 4.4.2 a) Quality manual QMS scope
defnition
4.2.1 a) Defne the scope and
boundaries of the ISMS
4.5.2 Plan the SMS (Plan) 5.4.2 Quality management system
planning
4.2.1 b) Defne an ISMS policy,
through to j) Prepare a Statement of
Applicability (approximate correlation)
4.5.3 Implement and operate the SMS
(Do)
4.1 General requirements (approximate
correlation)
4.2.2 Implement and operate the ISMS
4.5.4 Monitor and review the SMS
(Check)
5.6 Management review 4.2.3 Monitor and review the ISMS
4.5.4.1 General 8.1 Measurement, analysis and
improvement - general
4.2.3 Monitor and review the ISMS
4.5.4.2 Internal audit 8.2.2 Internal audit 6 Internal ISMS audits
4.5.4.3 Management review 5.6 Management review 7 Management review of the ISMS
4.5.5 Maintain and improve the SMS
(Act)
8.5 Improvement 8 ISMS improvement
4.5.5.1 General 8.5.1 Continual improvement 8.1 Continual improvement
4.5.5.2 Management of improvements 5.6 Management review 7 Management review of the ISMS,
supplemented by 4.2.1 d) Identify
the risks to i) Obtain management
authorization (approximate correlation)
1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defned scope of the Information
Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defned in A.6.1.
International Register of Certifcated Auditors (IRCA)
2nd Floor North
Chancery Exchange
10 Furnival Street
London EC4A 1AB
United Kingdom
Email: irca@irca.org
Tel: +44 (0) 20 7245 6833
Fax: +44 (0) 20 7245 6755
WWW.IRCA.ORG