Professional Documents
Culture Documents
Irca Briefing Note Iso Iec 20000-1 Eng
Irca Briefing Note Iso Iec 20000-1 Eng
How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000
Contents
Introduction
Overview
Detail review
1.
Scope
2.
Normative references
3.
4.
5.
6.
7.
Relationship processes
8.
Resolution processes
9.
Control processes
6-7
Appendix A
Page 2 of 9
Overview
A principal constraint of ISO 20000-1:2005 when
implementing or assessing the conformance of an IT Service
Management System (ITSMS) was the number of mandated
processes; these were often worded such that they required
auditor interpretation and agreement with the auditee.
Some may view the modifications of ISO/IEC 200001:2011 as a substantial change. Others may think it largely
captures good practices already implemented. IRCAs
view is that publication of ISO/IEC 20000-1:2011 provides
organizations implementing IT Service Management Systems
and organizations needing to conduct audits of IT Service
Management Systems an opportunity to re-assess their own
practices and identify improvement opportunities.
WWW.IRCA.ORG
Page 3 of 9
Detail review
Many clauses of ISO 20000-1:2005 began with a statement
of the objective of that clause (though not clauses titled
General or Background). These have been removed and do
not appear in ISO/IEC 20000-1:2011.
1. Scope
It is this section that confirms the applicability of the standard
to the whole service management system lifecycle.
The general use cases described in 1.1 a) to f ) are derived
and developed from those in ISO 20000-1:2005 to clarify
the perspectives of the service provider, the organization
seeking services from a provider and the assessor or auditor
of conformity.
Figure 2 the Service Management System diagram
promotes a more consistent view of the relationship of
elements of ISO/IEC 20000-1:2011. Most notably, the
relationship with customers and other stakeholders is
added. The service management system requirements and
design and transition of new or changed services are added
as layers in the diagram to demonstrate their context and
relationship with service delivery, resolution, relationship
and control processes. Also of note, release and deployment
management is subsumed into the category of control
processes.
Clause 1.2 Application is added documenting further
clarification of requirements for conformance. Here it is
acknowledged that parts of the service delivery (clauses 5
to 9) may be provided by other parties and that evidence
of process governance from these sources is admissible.
However, it is emphasised that service management
responsibility, governance of other parties involved in
service provision, documentation management, resource
management and service establishment and improvement
defined in clause 4 must be evidenced only by the service
provider. No part of that clause may be delegated or
contracted to another party. ISO/IEC TR 20000-3 provides
additional guidance on scope definition and applicability
including further explanation about the governance of
processes operated by other parties.
2. Normative references
This empty clause is added only for the purpose of clause
numbering alignment with ISO/IEC 20000-2.
3. Terms and definitions
As would be expected from a technical revision, there are
now 37 defined terms in ISO /IEC 20000-1:2011 compared
with the 15 listed in ISO 20000-1:2005. Many of the additional
terms are adopted or adapted from ISO 9000:2005 Quality
management systems Fundamentals and vocabulary, ISO
27000:2009 Information technology Security techniques
Information security management systems Overview and
vocabulary and others are consistent with ITIL v3 (although
ISO/IEC 20000-1:2011 is independent of any specific
implementation methodology).
For example, clause 3.11 defines information security as
preservation of confidentiality, integrity and accessibility
of information. Accessibility is inconsistent with ISO
27000:2009 which uses the term availability, however
WWW.IRCA.ORG
Page 4 of 9
WWW.IRCA.ORG
Page 5 of 9
WWW.IRCA.ORG
Page 6 of 9
WWW.IRCA.ORG
Page 7 of 9
Appendix A
Service management system general requirements compared with ISO/IEC 9001 & ISO/IEC 27001.
ISO 20000:2011
ISO 9001:2008
ISO 27001:2005
5 Management responsibility
5 Management responsibility
4.1.3 A
uthority, responsibility and
communication
5.5 R
esponsibility, authority and
communication
4.2 G
overnance of processes operated
by other parties
7.4 P
urchasing (approximate
correlation)
4.2.1 General
4.3.1 General
6 Resource management
5.2.2 T
raining, awareness and
competence
4.2 E
stablishing and managing the
ISMS
4.4.2 a
) Quality manual QMS scope
definition
4.1 G
eneral requirements (approximate
correlation)
4.5.4 M
onitor and review the SMS
(Check)
4.5.4.1 General
8.1 M
easurement, analysis and
improvement - general
4.5.5 M
aintain and improve the SMS
(Act)
8.5 Improvement
8 ISMS improvement
4.5.5.1 General
1. ISO 27001:2005 conformance does not require implementation of all control objectives and controls in Annex A of the standard as these are selected based upon the defined scope of the Information
Security Management System. However, it would be very unusual for an organisation to justify exclusion of control objectives and controls defined in A.6.1.
WWW.IRCA.ORG
Page 8 of 9