ISO 20000: What’s an Organization to Do?

beSt practIceS WHIte paper
table of contents



abStract 1

a Natural Next Step 2
ITIL 3
COBIT 3
BS15000 3
a clOSer lOOk at ISO 20000 3

tHe Impact Of ISO 20000 4
ShouldanOrganizationSeekCertification? 4
ForOrganizationsNotSeekingCertification—UseISO20000asaGuide 5
ImportanceofContinualImprovement 5
ImpOrtaNce Of autOmatION tO ISO 20000 6
AdvantagesofAutomation 6
SelectINg tHe rIgHt autOmatION SOlutION 6
SupportITIL 6
MaintainaCMDB 6
ManageITfromaBusinessPerspective 6
WHat tO DO Next 7
BecomeFamiliarwithPertinentDocuments 7
AssesstheCurrentSituation 7
InitiateanImprovementProgram 7
EstablishaCultureofContinualImprovement 7
cONcluSION 7
recOmmeNDeD refereNceS 7
PAGE > 1
abstract
InternationalstandardsrelatedtoITServiceManagementpermitorganizationsworldwidetocol-
laborateandtheyprovidevaluableguidelinesthathelpestablishthecredibilityofcompanies.A
newstandard,ISO20000,whichisnowavailable,allowsanorganizationtodemonstratetoits
customersandinvestorsthatitoperateswithbusinessintegrityandsecurity,andthatitfostersa
cultureofcontinualqualityimprovementinITServiceManagement.Whyisthissoimportant?Itis
becauseachievingISO20000certificationcanhelpgivecompaniesacompetitiveedgeoverthose
companiesthatdon’tmeetthisstandard.
ThereleaseofISO20000raisesaquestiontoorganizationsaroundtheworld:Whatdoestheorga-
nizationneedtodotodaywithrespecttoISO20000?Thispaperisintendedtohelpanswerthat
questionby:
>DescribingtheevolutionofISO20000
>ProvidinganoverviewofISO20000
>DiscussingthepotentialimpactofISO20000onorganizations
>ReviewingtheneedforautomationtomeettherequirementsofISO20000andthecriteria
thatanautomationsolutionshouldmeet
>SuggestingactionsanorganizationcantakenowtoprepareforISO20000certification
PAGE > 2
a Natural Next Step
Organizationsfocusedoncontinualqualityimprovementin
ITServiceManagement,willbenefitbyfollowingthelatest
standardfromtheInternationalOrganizationforStandards
(ISO)—ISO20000.Thisnewstandardpromotestheadop-
tionofanintegratedprocessapproachtotheeffective
deliveryofITservicesandsetsguidelinesforqualityinIT
servicemanagement(ITSM).(SeeFigure1.)Thereleaseof
ISO20000demonstratesthatIThasreachedapointinits
maturitywherefeworganizationscouldsurvivewithoutit.
Documentationdefiningthisstandardhasbeenreleasedin
2005,andglobalcertificationisexpectedtobeginin2006.
ThenewstandardisbasedontheBritishstandardBS
15000andiscloselyalignedwiththeITInfrastructure
Library(ITIL
®
).ISO20000isacodethatprovidesayardstick
formeasuringandvalidatinganorganization’ssuccessin
implementingbestpracticesasdefinedbyITIL.Those
organizationsthathaveachievedorarepursuingachieve-
mentofBS15000andthoseorganizationsthatare
implementingITILwillfindthemselvesalreadyonthe
pathtoISO20000,andconsequentlyabletoincrease
theircredibilityasorganizations.
ISO20000,whichreplacesBS15000,providesastandard-
izedwayofverifyingthatanorganizationhassuccessfully
adoptedITServiceManagementbestpracticesasdefined
byITIL,whichhasbeenadefactostandardforservice
managementforalmost20years.BS15000—aBritish
standardfirstissuedin2000topromotetheadoptionofan
integratedprocessapproachtotheeffectivedeliveryofIS
services—isbasedonITIL.AndISO20000wascreated
viaafasttrackfromBS15000.Otherstandards,practices,
andmodelsmayalsoberelevanttoISO20000.Thispaper,
however,focusesontherelevanceofkeyones—ITIL,
COBIT,andBS15000.
Service Design and Management Processes
Release Processes
> Release Management
Resolution Processes
> Incident Management
> Problem Management
Supplier Processes
> Business Relationship
Management
> Supplier Management
> Capacity Management
> Service Contingency and Availability Management
> Service Level Management
> Service Support
> Information Security Management
> Budgeting and Accounting for IT Services
Service Design and Management Processes
> Configuration Management
> Change Management
Figure1.ISO20000ServiceManagementProcesses
PAGE > 3
ITIL
ITILconsistsofacoherent,integratedsetofsevenbooks,
eachdefiningbestpracticeguidelinesforaspecificareaof
ITservicemanagement.Theguidelinesareintendedtobe
adaptedbyeachorganizationtofititsspecificneeds.ITIL
isownedandmaintainedbytheU.K.OfficeofGovernment
andCommerce(OGC).
Figure2showstheITprocessareasdefinedintheITIL
guidelinesandtheirinterrelationships.
COBIT
ITcontrolsarebecominganecessarypartofdoingbusi-
nessinjustaboutallindustriesandareessentialin
implementingITIL,andhenceinachievingISO20000com-
pliance.TheInstituteofCharteredAccountantsinEngland
andWales,forexample,haspublisheditsfinalguidance
ontheimplementationoftheinternalcontrolrequirements
oftheCombinedCodeonCorporateGovernance.This
guide,entitled“InternalControl:GuidanceforDirectorson
theCombinedCode,”hasthesupportandendorsement
oftheLondonStockExchange,whichhasstatedthat,“A
company’ssystemofinternalcontrolhasakeyroleinthe
managementofrisksthataresignificanttothefulfillment
ofitsbusinessobjectives.”Inaddition,thePublicCompa-
nyAccountingOversightBoard(PCAOB)intheU.S.,which
wasestablishedbytheSarbanes-OxleyActof2002to
overseetheauditsofpubliccompanies,specificallymen-
tionstheimportanceofITsystemsandITgeneralcontrols
initsauditingguidelinesdatedMarch9,2004.
The IT Governance Institute (ITGI) has constructed an IT-
focused control framework called Control Objectives for
Information and relatedTechnology (COBIT) that provides
specific IT governance guidelines to help organiza-
tions implement controls. COBIT establishes a set of 34
high-level IT control objectives, 13 of which rely on ITIL
directly.The objectives are shown inTable 1, and are cat-
egorized by domain.
BS15000
BS15000,closelyalignedwithITIL,definesasetofmini-
mumrequirementsagainstwhichanorganizationcanbe
assessedforeffectiveITservicemanagementprocesses.
Itprovidesalevelofqualityforthoseactivitiesthatcanbe
audited.BS15000encompassesfivekeyprocessgroups:
servicedeliveryprocesses,relationshipprocesses,resolu-
tionprocesses,releaseprocesses,andcontrolprocesses,
mostofwhicharedefinedindetailwithinITIL.
a closer look at ISO 20000
InMay2005,membersoftheISOandtheInternation-
alElectrotechnicalCommission(IEC)votedtomakeBS
15000thebasisforISO20000.Thistookthefoundationof
BS15000tothenextlevel,asitsetthestageforaninter-
nationalstandard.Thenatureofthebusinessrelationship
betweentheserviceproviderandthebusinesswilldeter-
minehowtherequirementsinPart1ofISO20000areto
beimplementedtomeettheoverallobjectives.Theservice
providermaybeinternalorexternaltothebusiness.The
ultimategoalofISO20000isto:
>
Reduceoperationalexposuretorisk
>
Meetcontractualrequirements
>
Demonstrateservicequality
TheISOexpectsfirstcertificationstobeachievedin2006.
ItisexpectedthatorganizationswithBS15000certifica-
tionwillbethefirsttoseekISO20000certification.(Those
organizationsarealloutsidetheU.S.)Itisalsoanticipated
thatotherorganizationsaroundtheworld,includingthose
intheU.S.,willfollow,mostprobablyledbycompaniesin
industriesinwhichITplaysacriticalbusinessrole.
Suppliers
T
h
e

B
u
s
i
n
e
s
s
T
h
e

T
e
c
h
n
o
l
o
g
y
Planning to Implement Service Management
Applications Management
Security
Management
The
Business
Perspective
ICT
Infrastructure
Management
Service
Delivery
Service
Support
Service Management
Figure2.ITProcessAreas
PAGE > 4
ISO20000contentisbasedonthefollowingdocuments
withinBS15000:
>
PartOne–Includesasetofminimumrequirementsand
promotestheadoptionofanintegratedprocessapproach
toeffectivelydelivermanagedservicestomeetthe
businessandcustomerrequirements.
>
PartTwo–Coversa“CodeofPracticeforService
Management,”whichdistillskeyelementsofITIL
bestpractices.Thisdocumentisintendedtohelp
organizationsestablishprocessestoachievethe
objectivesofPart1.
the Impact of ISO 20000
WhatdoesanorganizationneedtodoregardingISO
20000?ShoulditseekISO20000certification?Ifitisnot
seekingcertification,what,ifanything,shouldanorganiza-
tiondobasedonthisnewstandard?Thissectionshould
helpanswerthosequestions.
ShouldanOrganizationSeekCertification?
Asmentionedearlier,ISO20000certificationprovides
verificationthatanorganizationisdeployingITService
Managementbestpracticesasevidencedbyanindepen-
dent,externalevaluationagainstaformalstandardthathas
beencarriedoutbyanapprovedauditorganization.This
levelofvalidationcanhelpacompanyremainmorecom-
petitive.
IndeterminingwhethertoseekISO20000certification,
anorganizationshouldconsiderthefollowing:
>
ISO20000isespeciallyimportanttoorganizationsin
industriesinwhichqualityITservicesareessentialto
businesssuccess,suchas—butnotlimitedto—the
financialservices,utilities,andhealthservicesindustries.
Certificationpermitstheseorganizationstodemonstrate
totheirstakeholdersandcustomersthattheyhavewell-
managedITenvironments.
>
ISO20000isrelevanttoorganizationsthatprovide
managedservicesandoutsourcingofITservices.
Certificationpermitsmanagedservicesorganizations
toassureclientsthattheirITenvironmentswillbe
wellmanaged,andenablesoutsourcingorganizations
toassureclientsthattheywillreceivehigh-qualityIT
services.Theseserviceprovidersmustprovethatthey
havedocumentedallfivekeyareaswithinISO20000and
thattherequirementsofthestandardarebeingadhered
to.DocumentationmustincludeServiceManagement
policiesandplans,ServiceLevelAgreements,processes
andproceduresrequiredbyISO20000,andanyrecords
requiredbythisstandard.
ID plaNNINg aN OrgaNIzatION (pO) ID DelIvery aND SuppOrt (DS)
pO1
Define a strategic IT plan DS1 Define and manage service levels
pO2 Define the information architecture DS2 Manage third-party services
pO3 Determine the technological direction DS3 Manage performance and capacity
pO4 Define the IT organization and relationships DS4 Ensure continual service
pO5 Manage the IT investment DS5 Ensure systems security
pO6 Communicate management aims and direction DS6 Identify and allocate costs
pO7 Manage human resources DS7 Educate and train users
pO8 Ensure compliance with external requirements DS8 Assist and advise customers
pO9 Assess risks DS9 Manage the configuration
pO10 Manage projects DS10 Manage problems and incidents
pO11 Manage quality DS11 Manage data
ID acquISItION aND ImplemeNtatION (aI)
DS12 Manage facilities
aI1 Identify automated solutions DS13 Manage operations
aI2 Acquire and maintain application software
ID mONItOrINg (m)
aI3 Acquire and maintain technology infrastructure m1 Monitor the processes
aI4 Develop and maintain procedures m2 Assess internal control adequacy
aI5 Install and accredit systems m3 Obtain independent assurance
aI6 Manage changes m4 Provide for independent audit
Table1.COBITITControlObjectives
PAGE > 5
>
Organizationsshouldconsidertheimplicationsofcer-
tificationwithrespecttoregulatorycompliance.Today,
organizationsneedtodemonstratecompliancewithan
increasingnumberofgovernmentregulations.Many
oftheseregulations,suchasSarbanes-Oxley,andthe
HealthInsurancePortabilityandAccountabilityActof
1996(HIPAA)intheU.S.,dealspecificallywithITser-
vicesandITServiceManagement(ITSM).Currently,
auditorsdonotrequirestandardscertificationasproof
ofcompliance,butinthefuture,theymay.BecauseISO
20000dealsspecificallywiththequalityofITSM,itcould
provideaninternationalstandardthatauditorscanuseto
determinecompliance.
ISO20000certificationwillbegrantedonlytoorganiza-
tionsthathaveanITSMoperation,andwillcertifyonlythe
ITSMoperationinthoseorganizations.Certificationwillnot
begrantedtoproductsortobestpracticeadvisoryser-
vicesofferedbyconsultingorganizations.Certificationmay
becomearequirementtodobusinesswithcertainorgani-
zations,suchasgovernmentagenciesoroutsourcers.
ForOrganizationsNotSeeking
Certification—UseISO20000asaGuide
Evenifanorganizationdoesnotwishtoinitiallyseek
certification,ISO20000documentationprovidesavalu-
able(andinexpensive)resourcethatcanbeusedby
organizationsthathaveadoptedITILandareimplement-
ingorplantoimplementITSMprocessesbasedonITIL
guidelines.Itprovidesastandardizedwayfortheseorga-
nizationstomeasuretheirprogressin“ITIL-izing”ITSM.
Also,bystrivingtomeettherequirementsofISO20000,
theseorganizationswillbeabletoleveragetheirefforts
andinvestmentsiftheydecidetopursueISO20000
certificationlater,orjustwanttoensurethattheyhave
implementedaworld-classservice.
ImportanceofContinualImprovement
Allorganizationsshouldkeepinmindthatakeyaspect
ofITIL,andhenceISO20000,isvalidationofcontinual
improvementinthequalityofITSM.Themodelofcontinu-
alqualityimprovementisbasedonW.EdwardsDeming’s
conceptofPlan-Do-Check-Act,originallyestablishedinthe
manufacturingindustry.(SeeFigure3.)
Animportantfactorinpursuingcontinualimprovementis
toconductregular“healthchecks”onthequalityofITSM.
ISO20000providesawaytocheckhowwellanorganiza-
tionisdoinginitsquesttocontinuallyimproveITSM.The
organizationcanuseISO20000(andCOBIT)todefineand
measureachievementofeachnewlevelofimprovement
asitgrowsinservicematurity.
Figure3.Continualqualityimprovement
Other processes
e.g., business
supplier, customer
Request for
New/Change
Service
Business
Requirements
Customer
Requirements
Service Desk
Other teams
e.g., Security,
IT Operations
Other processes
e.g., business
supplier, customer
New and Changed
Service
Business
Results
Customer
Satisfaction
Team and People
Satisfaction
PLAN
C
HECK


D
O




A
C
T

ACT
CHECK
PLAN
Managed Services
Management Responsibility
Provided by the Institute of IT Service Management
DO
PAGE > 6
Importance of automation to ISO 20000
Today’sITorganizationsmustmanagecomplexity,bothin
theirITinfrastructuresandintheITSMprocessesrequired
tomanagetheinfrastructures.Thealreadyhighcomplexity
ofITinfrastructuresisgrowingasorganizationsimplement
multitierarchitectures,services-orientedarchitectures,
andvirtualizationtechnologies.TheInternethasfurther
increasedcomplexity,addingmanymoreusers,bothinside
andoutsidethewallsoftheenterprise.Theseinclude
employees,customers,andbusinesspartners.
Tomanagetheseinfrastructures,manyorganizationsare
adoptingITILguidelinestoestablishbest-practiceITSM
processes.ITILrequirestheestablishmentofprocesses
inmultipleITSMdisciplinesandtheintegrationofthese
processesacrossdisciplines.That’sadauntingtask.What’s
more,thepracticeofcontinualimprovement—whichis
fundamentaltoITILandISO20000—isbynomeansa
trivialundertaking.
InthisexceedinglycomplexITenvironment,manualpro-
cessesarenotviable.Organizationsneedtoimplement
systems-basedautomationtoolsandsolutionstohelp
themmanagecomplexenvironments.
AdvantagesofAutomation
Automationdeliversanumberofimportantadvantages:
>
Helpsensuretheintegrationofprocesses.Whileman-
ualprocessestendtodemarcateprocessesbypermitting
peopletopreserve“organizationalturf,”automationfos-
terstheintegrationofprocesses.
>
Ensurestheconsistencyandrepeatabilityofpro-
cesses.Peopletendto“adapt”manualprocessesover
timetosuittheirownneeds,resultingininconsistencies.
Automation,ontheotherhand,enablestheestablish-
mentofprocessesthatareconsistentandrepeatable,
anditenforcestheiruse.
>
PermitsfasterimplementationofITILandpotentially
fasterISO20000certification.Automationsolutionsthat
arebasedonITILcanhelpanorganizationquicklyimple-
mentITILbestpractices,acceleratingthetimetoreach
ISO20000achievement.
>
Helpsreducecosts.Automationcanhelpreducestaff
costsbyperformingroutine,repetitivefunctionsthat
wouldotherwisesoakupmuchstafftime,andbyreduc-
ingserviceoutages.
>
Facilitatesregulatorycompliance. Automationhelps
organizationsestablishandenforcerequiredbestprac-
ticesandprovidesanaudittrailtoenableorganizationsto
achieveanddemonstratecompliance.
Selecting the right automation Solution
BecauseoftheimportanceofautomationinachievingISO
20000,organizationsshouldexercisegreatcareinselecting
anautomationsolution.Thissectionpresentssomeguide-
linesformakingthatchoice.
SupportITIL
BecauseITILisfundamentaltoISO20000,it’simportantto
selectanautomationsolutionthatsupportsITILprocesses.
ThesolutionshouldsupportprocessesthatspanallITser-
vicemanagementdisciplines—assetmanagement,change
andconfigurationmanagement,incidentandproblemmanage-
ment,releasemanagement,capacitymanagement,availability,
financialmanagement,andservicelevelmanagement.
Suitesmakemorefinancialsensethan“best-of-breed”
applicationsthatneedconsiderablemanualintegrationwork.
Inaddition,oneofthemajorrequirementsofITILisinte-
gratingprocessesacrossdisciplines.Lookforasolution
thatfullyintegratesthevariousITILprocessesfrombotha
processandadataperspective,ratherthanmerelyprovid-
ingfield-to-fieldmapping.
MaintainaCMDB
Anotherimportantconsiderationistolookforanautoma-
tionsolutionthatprovidesasingle“sourceofreference”
acrossallITareas.Thisrequiresasolutionthatusesa
configurationmanagementdatabase(CMDB)tomaintain
informationontheITenvironment.
TheCMDBcontainsdetailedinformationonallITILcon-
figurationitems(CIs)intheinfrastructure,includingeach
item’slocation,configuration,andphysicalandlogicalinter-
relationshipswithotheritems.TheCMDBensuresthatall
processesareworkingfromconsistentandaccuratedata.
BecauseofthecomplexityandfluidityoftheITinfrastruc-
ture,lookforasolutionthatautomaticallypopulatesthe
CMDBandupdatesitwheneverchangesaremade.
ManageITfromaBusinessPerspective
OneofthethreemajorgoalsofISO20000istoimprove
thebusinessalignmentofITservices.Tomeetthisgoal,
theITstaffmustmanageITservicesfromabusiness
perspective;thatis,performBusinessServiceManage-
ment(BSM).Consequently,it’simportanttolookforan
automationsolutionthatsupportsBSM.Oneofthekey
requirementsgeneratedbyBSMisthatthesolutionen-
ablestheITstafftounderstandtherelationshipsoftheIT
infrastructurecomponentstothebusinessservicesthey
support.Itshouldalsoindicatethebusinessimpactof
eventssuchasperformanceslowdownsorcomponentfail-
uresthatoccurintheITinfrastructure.Onlyinthiswaycan
thestaffmakedecisionsbasedonbusinessimpactand
businesspriorities.
PAGE > 7
What to Do Next
It’simportanttorealizethatISO20000isnotadestina-
tion,butratherajourneyinwhichITstrivestoachieve
truebusinessservicemanagementandgrowcontinually
inITSMmaturity.Asaresult,whetherornotanorganiza-
tionisseekingISO20000certification,itshouldestablish
acultureofcontinualimprovementinITSMandseekto
implementallITILprocessesthatarepertinenttothebusi-
ness.Thissectionpresentssomeguidelinesthatwillhelp
facilitateprogress.
BecomeFamiliarwithPertinentDocuments
ThefirstthingtheITstaffshoulddoisgainanunderstand-
ingofISO20000,andifithasnotalreadydoneso,theIT
staffshouldalsobecomefamiliarwithITILandCOBIT.The
documentationdescribedpreviouslyinthispapercanbe
usedasaninformationsource.
AssesstheCurrentSituation
Next,thestaffshouldassessthecurrentsituationandde-
terminehowtheorganizationmeasuresuptoISO20000.
Thiswillprovideagoodideaofhowwelltheorganization
isimplementingITIL.ISO20000Part1andPart2canbe
usedtogainanunderstandingofwhatisrequired.
InitiateanImprovementProgram
TheITstaffcanusetheinitialISO20000assessmentas
a“healthcheck”mechanismtokick-startanimprovement
program.Thestaffshoulddeterminewhichstepstotake
nexttoimprovethecurrentsituation,usingtheinforma-
tionobtainedintheassessmenttoidentifythoseareas
thathavethegreatestpotentialforimprovement.Those
organizationsthatarealreadyintheprocessofimplement-
ingITILcanleveragetheirinvestmentinITILtoaccelerate
progress.
EstablishaCultureofContinualImprovement
It’simportanttokeepinmindthattheISO20000journey
isaniterativeprocessofcontinualimprovementandcan-
notbecompletedinonegiantstep.Consequently,once
thefirststepshavebeensuccessfullycompleted,thestaff
canre-examinetheinitialassessmentinformationtodeter-
minethenextmostpromisingareastoaddress.Thestaff
shouldproceedinaniterativefashion,growinginmaturity
andmeasuringprogressalongtheway,usingtheISO
20000standard,ITIL,andCOBITITcontrolobjectives.
conclusion
AlthoughISO20000documentationhasonlyrecentlybeen
releasedandISO20000certificationhasnotyetbegun,
itisimportantthatorganizationsbeginnowtoassessthe
potentialimpactofthestandardanddeterminewhether
toseekcertification.Inanycase,organizationsimplement-
ingorplanningtoimplementITILtoimprovethequalityof
theirITservicedeliverycanuseISO20000toguideand
gaugetheirprogress.
What’smostimportanttounderstandaboutISO20000
andITIListhattheybothnecessitatecontinualimprove-
ment,whichcanincreaseanorganization’scredibilityand
competitiveness.
recommended references
ITIL:www.itil.co.uk/
BMCSoftwaresolutions:www.bmc.com/itil
COBIT:
www.isaca.org/Template.cfm?Section=COBIT_
Online&TEmplate=/ContentManagement/ContentDisplay.
cfm&ContentID=15633
BSISO/IEC20000-1:2005andBSISO/IEC20000-2:2005:
www.bsi-global.com/ICT/Service/bs15000-1.xalter
TheDifferencesbetweenBS15000andBSISO/IEC
20000: www.bsi-global.com/ICT/Service/bip0039.xalter
ISO20000Part1: www.bsi-global.com/ICT/Service/
bs15000-1.xalter
ISO20000Part2:www.bsi-global.com/ICT/Service/
bs15000-2.xalter
PAGE > 8
BMCSoftware,theBMCSoftwarelogos,andallotherBMCSoftwareproductorservicenamesareregisteredtrademarksortrademarksofBMCSoftware,Inc.
Allotherregisteredtrademarksortrademarksbelongtotheirrespectivecompanies.©2006BMCSoftware,Inc.Allrightsreserved.65217
AboutBMCSoftware
BMCSoftwarehelpsITorganizationsdrivegreaterbusinessvaluethroughbettermanagementoftechnology.Ourindustry-leadingBusiness
ServiceManagementsolutionsensurethateverythingITdoesisprioritizedaccordingtobusinessimpact,soITcanproactivelyaddress
businessrequirementstolowercosts,driverevenue,andmitigaterisk.BMCsolutionsshareBMCAtrium
TM
technologiestoenableITto
manageacrossthecomplexityofdiversesystemsandprocesses—frommainframetodistributed,databasestoapplications,serviceto
security.Foundedin1980,BMCSoftwarehasofficesworldwideandfiscal2005revenuesofmorethan$1.46billion.BMCSoftware.
ActivateyourbusinesswiththepowerofIT.Formoreinformation,visitwww.bmc.com.
about the author
KenTurbitt,bestpracticesdirectorforBMC,hasbroadexperienceinbestpractices
management,IT,andconsulting;hasheldanISEBITILManager/Mastersqualification
formorethantenyears;andhasbeenaGartner-qualifiedTCOconsultant.
*65217*

table of contents abStract a Natural Next Step ITIL COBIT BS 15000 1 2 3 3 3 a clOSer lOOk at ISO 20000 3 tHe Impact Of ISO 20000 Should an Organization Seek Certification? For Organizations Not Seeking Certification — Use ISO 20000 as a Guide Importance of Continual Improvement 4 4 5 5 ImpOrtaNce Of autOmatION tO ISO 20000 Advantages of Automation 6 6 6 6 6 6 7 7 7 7 7 7 7 SelectINg tHe rIgHt autOmatION SOlutION Support ITIL Maintain a CMDB Manage IT from a Business Perspective WHat tO DO Next Become Familiar with Pertinent Documents Assess the Current Situation Initiate an Improvement Program Establish a Culture of Continual Improvement cONcluSION recOmmeNDeD refereNceS .

which is now available. ISO 20000.abstract International standards related to IT Service Management permit organizations worldwide to collaborate and they provide valuable guidelines that help establish the credibility of companies. and that it fosters a culture of continual quality improvement in IT Service Management. The release of ISO 20000 raises a question to organizations around the world: What does the organization need to do today with respect to ISO 20000? This paper is intended to help answer that question by: > Describing the evolution of ISO 20000 > Providing an overview of ISO 20000 > Discussing the potential impact of ISO 20000 on organizations > Reviewing the need for automation to meet the requirements of ISO 20000 and the criteria that an automation solution should meet > Suggesting actions an organization can take now to prepare for ISO 20000 certification PA G E >  . allows an organization to demonstrate to its customers and investors that it operates with business integrity and security. Why is this so important? It is because achieving ISO 20000 certification can help give companies a competitive edge over those companies that don’t meet this standard. A new standard.

which replaces BS 15000. and global certification is expected to begin in 2006. provides a standardized way of verifying that an organization has successfully adopted IT Service Management best practices as defined by ITIL. practices.) The release of ISO 20000 demonstrates that IT has reached a point in its maturity where few organizations could survive without it. and BS 15000. Other standards. And ISO 20000 was created via a fast track from BS 15000. COBIT. however. will benefit by following the latest standard from the International Organization for Standards (ISO) — ISO 20000. The new standard is based on the British standard BS 15000 and is closely aligned with the IT Infrastructure Library (ITIL®). (See Figure 1. which has been a de facto standard for service management for almost 20 years. ISO 20000 is a code that provides a yardstick for measuring and validating an organization’s success in implementing best practices as defined by ITIL. ISO 20000. This paper. Those organizations that have achieved or are pursuing achievement of BS 15000 and those organizations that are implementing ITIL will find themselves already on the path to ISO 20000. This new standard promotes the adoption of an integrated process approach to the effective delivery of IT services and sets guidelines for quality in IT service management (ITSM). Service Design and Management Processes > Capacity Management > Service Contingency and Availability Management > Service Level Management > Service Support > Information Security Management > Budgeting and Accounting for IT Services Service Design and Management Processes > Configuration Management > Change Management Release Processes > Release Management Supplier Processes Resolution Processes > Incident Management > Problem Management > Business Relationship Management > Supplier Management Figure 1. and consequently able to increase their credibility as organizations. focuses on the relevance of key ones — ITIL. BS 15000 — a British standard first issued in 2000 to promote the adoption of an integrated process approach to the effective delivery of IS services — is based on ITIL. and models may also be relevant to ISO 20000. ISO 20000 Service Management Processes PA G E >  . Documentation defining this standard has been released in 2005.a Natural Next Step Organizations focused on continual quality improvement in IT Service Management.

integrated set of seven books. and are categorized by domain. directly. for example. This took the foundation of BS 15000 to the next level. It is expected that organizations with BS 15000 certification will be the first to seek ISO 20000 certification. which was established by the Sarbanes-Oxley Act of 2002 to oversee the audits of public companies. will follow. relationship processes. Office of Government and Commerce (OGC). and hence in achieving ISO 20000 compliance. ITIL is owned and maintained by the U. resolution processes. 13 of which rely on ITIL a closer look at ISO 20000 In May 2005. Figure 2 shows the IT process areas defined in the ITIL guidelines and their interrelationships. closely aligned with ITIL. The Institute of Chartered Accountants in England and Wales. COBIT IT controls are becoming a necessary part of doing business in just about all industries and are essential in implementing ITIL. The IT Governance Institute (ITGI) has constructed an ITfocused control framework called Control Objectives for Information and related Technology (COBIT) that provides specific IT governance guidelines to help organizations implement controls.S. specifically mentions the importance of IT systems and IT general controls in its auditing guidelines dated March 9. 2004. “A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives. It provides a level of quality for those activities that can be audited.. In addition. This guide. Planning to Implement Service Management The Business Perspective Service Management ICT Infrastructure Management Service Delivery Security Management Applications Management Suppliers Figure 2. COBIT establishes a set of 34 high-level IT control objectives.) It is also anticipated that other organizations around the world. the Public Compa” ny Accounting Oversight Board (PCAOB) in the U. entitled “Internal Control: Guidance for Directors on the Combined Code. most probably led by companies in industries in which IT plays a critical business role. The nature of the business relationship between the service provider and the business will determine how the requirements in Part 1 of ISO 20000 are to be implemented to meet the overall objectives. (Those organizations are all outside the U.K. BS 15000 BS 15000. has published its final guidance on the implementation of the internal control requirements of the Combined Code on Corporate Governance. including those in the U.. The ultimate goal of ISO 20000 is to: > educe operational exposure to risk R > Meet contractual requirements > Demonstrate service quality The ISO expects first certifications to be achieved in 2006.ITIL ITIL consists of a coherent. members of the ISO and the International Electrotechnical Commission (IEC) voted to make BS 15000 the basis for ISO 20000.S. release processes. IT Process Areas PA G E >  The Technology The Business Service Support .S. The objectives are shown in Table 1. has the support and endorsement ” of the London Stock Exchange. as it set the stage for an international standard. most of which are defined in detail within ITIL. and control processes. each defining best practice guidelines for a specific area of IT service management. The service provider may be internal or external to the business. defines a set of minimum requirements against which an organization can be assessed for effective IT service management processes. which has stated that. The guidelines are intended to be adapted by each organization to fit its specific needs. BS 15000 encompasses five key process groups: service delivery processes.

Documentation must include Service Management policies and plans. This PA G E >  . Certification permits managed services organizations to assure clients that their IT environments will be well managed. if anything. managed services and outsourcing of IT services. Certification permits these organizations to demonstrate to their stakeholders and customers that they have wellmanaged IT environments. > ISO 20000 is relevant to organizations that provide Management. These service providers must prove that they have documented all five key areas within ISO 20000 and that the requirements of the standard are being adhered to. processes and procedures required by ISO 20000. Should an Organization Seek Certification? As mentioned earlier. > Part Two – Covers a “Code of Practice for Service industries in which quality IT services are essential to business success. ISO 20000 certification provides verification that an organization is deploying IT Service Management best practices as evidenced by an independent. and any records required by this standard. an organization should consider the following: > SO 20000 is especially important to organizations in I promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. This document is intended to help organizations establish processes to achieve the objectives of Part 1. Service Level Agreements. In determining whether to seek ISO 20000 certification. and health services industries.ID plaNNINg aN OrgaNIzatION (pO) ID DelIvery aND SuppOrt (DS) pO1 pO2 pO3 pO4 pO5 pO6 pO7 pO8 pO9 pO10 pO11 ID Define a strategic IT plan Define the information architecture Determine the technological direction Define the IT organization and relationships Manage the IT investment Communicate management aims and direction Manage human resources Ensure compliance with external requirements Assess risks Manage projects Manage quality acquISItION aND ImplemeNtatION (aI) DS1 DS2 DS3 DS4 DS5 DS6 DS7 DS8 DS9 DS10 DS11 DS12 DS13 ID Define and manage service levels Manage third-party services Manage performance and capacity Ensure continual service Ensure systems security Identify and allocate costs Educate and train users Assist and advise customers Manage the configuration Manage problems and incidents Manage data Manage facilities Manage operations mONItOrINg (m) aI1 aI2 aI3 aI4 aI5 aI6 Identify automated solutions Acquire and maintain application software Acquire and maintain technology infrastructure Develop and maintain procedures Install and accredit systems Manage changes m1 m2 m3 m4 Monitor the processes Assess internal control adequacy Obtain independent assurance Provide for independent audit Table 1. what. should an organization do based on this new standard? This section should help answer those questions. external evaluation against a formal standard that has been carried out by an approved audit organization. the Impact of ISO 20000 What does an organization need to do regarding ISO 20000? Should it seek ISO 20000 certification? If it is not seeking certification. utilities. which distills key elements of ITIL ” best practices. such as — but not limited to — the financial services. COBIT IT Control Objectives ISO 20000 content is based on the following documents within BS 15000: > art One – Includes a set of minimum requirements and P level of validation can help a company remain more competitive. and enables outsourcing organizations to assure clients that they will receive high-quality IT services.

Many of these regulations.S. Because ISO 20000 deals specifically with the quality of ITSM. or just want to ensure that they have implemented a world-class service.. is validation of continual improvement in the quality of ITSM. business supplier. Edwards Deming’s concept of Plan-Do-Check-Act. originally established in the manufacturing industry. Continual quality improvement PA G E >  . customer ACT DO New and Changed Service DO Other processes e.g. It provides a standardized way for these organizations to measure their progress in “ITIL-izing” ITSM. and will certify only the ITSM operation in those organizations. tification with respect to regulatory compliance.. deal specifically with IT services and IT Service Management (ITSM). ISO 20000 provides a way to check how well an organization is doing in its quest to continually improve ITSM. Today.g. Importance of Continual Improvement All organizations should keep in mind that a key aspect of ITIL. customer CHECK CHECK Service Desk Other teams e. ISO 20000 documentation provides a valu- Business Requirements Managed Services Business Results Customer Requirements Management Responsibility PLAN PLAN Request for New/Change Service Customer Satisfaction ACT Other processes e. business supplier. Certification may become a requirement to do business with certain organizations. these organizations will be able to leverage their efforts and investments if they decide to pursue ISO 20000 certification later. such as government agencies or outsourcers. Certification will not be granted to products or to best practice advisory services offered by consulting organizations. The organization can use ISO 20000 (and COBIT) to define and measure achievement of each new level of improvement as it grows in service maturity. and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U. and hence ISO 20000.. auditors do not require standards certification as proof of compliance.. Also. (See Figure 3.) An important factor in pursuing continual improvement is to conduct regular “health checks” on the quality of ITSM. by striving to meet the requirements of ISO 20000. IT Operations Team and People Satisfaction Provided by the Institute of IT Service Management Figure 3. ISO 20000 certification will be granted only to organizations that have an ITSM operation. Security. such as Sarbanes-Oxley. it could provide an international standard that auditors can use to determine compliance.> Organizations should consider the implications of cer- able (and inexpensive) resource that can be used by organizations that have adopted ITIL and are implementing or plan to implement ITSM processes based on ITIL guidelines. organizations need to demonstrate compliance with an increasing number of government regulations. The model of continual quality improvement is based on W. but in the future. For Organizations Not Seeking Certification — Use ISO 20000 as a Guide Even if an organization does not wish to initially seek certification. Currently.g. they may.

Automation helps organizations establish and enforce required best practices and provides an audit trail to enable organizations to achieve and demonstrate compliance. To meet this goal. automation fos” ters the integration of processes. People tend to “adapt” manual processes over time to suit their own needs. PA G E >  . > Permits faster implementation of ITIL and potentially faster ISO 20000 certification. one of the major requirements of ITIL is integrating processes across disciplines. That’s a daunting task. Organizations need to implement systems-based automation tools and solutions to help them manage complex environments. look for a solution that automatically populates the CMDB and updates it whenever changes are made. While man e ual processes tend to demarcate processes by permitting people to preserve “organizational turf. capacity management. Advantages of Automation Automation delivers a number of important advantages: > Helps nsure the integration of processes. and physical and logical interrelationships with other items. including each item’s location. perform Business Service Management (BSM). Automation. Look for a solution that fully integrates the various ITIL processes from both a process and a data perspective. Selecting the right automation Solution Because of the importance of automation in achieving ISO 20000. > Helps reduce costs. it’s important to look for an automation solution that supports BSM. both in their IT infrastructures and in the ITSM processes required to manage the infrastructures. > Facilitates regulatory compliance. Because of the complexity and fluidity of the IT infrastructure. release management. many organizations are adopting ITIL guidelines to establish best-practice ITSM processes. Support ITIL Because ITIL is fundamental to ISO 20000. customers. services-oriented architectures. The CMDB ensures that all processes are working from consistent and accurate data. The CMDB contains detailed information on all ITIL configuration items (CIs) in the infrastructure. the practice of continual improvement — which is fundamental to ITIL and ISO 20000 — is by no means a trivial undertaking. availability. > Ensures the consistency and repeatability of pro- cesses. This requires a solution that uses a configuration management database (CMDB) to maintain information on the IT environment. configuration. the IT staff must manage IT services from a business perspective. Suites make more financial sense than “best-of-breed” applications that need considerable manual integration work. change and configuration management. financial management. The already high complexity of IT infrastructures is growing as organizations implement multitier architectures. These include employees.Importance of automation to ISO 20000 Today’s IT organizations must manage complexity. that is. on the other hand. One of the key requirements generated by BSM is that the solution enables the IT staff to understand the relationships of the IT infrastructure components to the business services they support. incident and problem management. In addition. repetitive functions that would otherwise soak up much staff time. and virtualization technologies. adding many more users. ITIL requires the establishment of processes in multiple ITSM disciplines and the integration of these processes across disciplines. The solution should support processes that span all IT service management disciplines — asset management. Maintain a CMDB Another important consideration is to look for an automation solution that provides a single “source of reference” across all IT areas. Automation can help reduce staff Manage IT from a Business Perspective One of the three major goals of ISO 20000 is to improve the business alignment of IT services. This section presents some guidelines for making that choice. costs by performing routine. rather than merely providing field-to-field mapping. manual processes are not viable. Only in this way can the staff make decisions based on business impact and business priorities. it’s important to select an automation solution that supports ITIL processes. It should also indicate the business impact of events such as performance slowdowns or component failures that occur in the IT infrastructure. Consequently. resulting in inconsistencies. and service level management. The Internet has further increased complexity. accelerating the time to reach ISO 20000 achievement. In this exceedingly complex IT environment. both inside and outside the walls of the enterprise. enables the establishment of processes that are consistent and repeatable. To manage these infrastructures. organizations should exercise great care in selecting an automation solution. and business partners. and by reducing service outages. and it enforces their use. What’s more. Automation solutions that are based on ITIL can help an organization quickly implement ITIL best practices.

What to Do Next It’s important to realize that ISO 20000 is not a destination. using the information obtained in the assessment to identify those areas that have the greatest potential for improvement. using the ISO 20000 standard. the IT staff should also become familiar with ITIL and COBIT. it should establish a culture of continual improvement in ITSM and seek to implement all ITIL processes that are pertinent to the business. What’s most important to understand about ISO 20000 Become Familiar with Pertinent Documents The first thing the IT staff should do is gain an understanding of ISO 20000. The staff should proceed in an iterative fashion.xalter ISO 20000 Part 2: www.uk/ BMC Software solutions: www. organizations implementing or planning to implement ITIL to improve the quality of their IT service delivery can use ISO 20000 to guide and gauge their progress. As a result. but rather a journey in which IT strives to achieve true business service management and grow continually in ITSM maturity. and if it has not already done so.bsi-global. Initiate an Improvement Program The IT staff can use the initial ISO 20000 assessment as a “health check” mechanism to kick-start an improvement program. once the first steps have been successfully completed. ISO 20000 Part 1 and Part 2 can be used to gain an understanding of what is required.com/ICT/Service/ bs15000-2. conclusion Although ISO 20000 documentation has only recently been released and ISO 20000 certification has not yet begun.bsi-global.xalter ISO 20000 Part 1: www.com/ICT/Service/ bs15000-1. it is important that organizations begin now to assess the potential impact of the standard and determine whether to seek certification.bmc. which can increase an organization’s credibility and competitiveness. cfm&ContentID=15633 BS ISO/IEC 20000-1:2005 and BS ISO/IEC 20000-2:2005: www. Establish a Culture of Continual Improvement It’s important to keep in mind that the ISO 20000 journey is an iterative process of continual improvement and cannot be completed in one giant step.itil.bsi-global. PA G E >  . whether or not an organization is seeking ISO 20000 certification.bsi-global. growing in maturity and measuring progress along the way. This will provide a good idea of how well the organization is implementing ITIL. This section presents some guidelines that will help facilitate progress. recommended references ITIL: www.co.org/Template. The staff should determine which steps to take next to improve the current situation. The documentation described previously in this paper can be used as an information source. and COBIT IT control objectives. the staff can re-examine the initial assessment information to determine the next most promising areas to address. In any case.com/ICT/Service/bip0039.xalter The Differences between BS 15000 and BS ISO/IEC 20000: www. Those organizations that are already in the process of implementing ITIL can leverage their investment in ITIL to accelerate progress.xalter Assess the Current Situation Next. ITIL.cfm?Section=COBIT_ Online&TEmplate=/ContentManagement/ContentDisplay. Consequently. and ITIL is that they both necessitate continual improvement.com/ICT/Service/bs15000-1.isaca.com/itil COBIT: www. the staff should assess the current situation and determine how the organization measures up to ISO 20000.

has held an ISEB ITIL Manager/Masters qualification for more than ten years. BMC solutions share BMC AtriumTM technologies to enable IT to manage across the complexity of diverse systems and processes — from mainframe to distributed. ©2006 BMC Software. and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software. BMC Software. has broad experience in best practices management.46 billion.About BMC Software BMC Software helps IT organizations drive greater business value through better management of technology. Activate your business with the power of IT. about the author Ken Turbitt. so IT can proactively address business requirements to lower costs. drive revenue. For more information. BMC Software has offices worldwide and fiscal 2005 revenues of more than $1. 65217 *65217* . PA G E >  BMC Software. best practices director for BMC. Our industry-leading Business Service Management solutions ensure that everything IT does is prioritized according to business impact. the BMC Software logos. Founded in 1980. and has been a Gartner-qualified TCO consultant. and mitigate risk. IT. All other registered trademarks or trademarks belong to their respective companies.com. visit www. databases to applications. service to security. and consulting. Inc.bmc. All rights reserved. Inc.

Sign up to vote on this title
UsefulNot useful