2012

Upgrading to ISO/IEC 20000-1:2011 at Oxford University Press

Presenters
Karl Andrews Oxford University Press IT Service Desk Manager ISO 20000 Process Owner Lynda Cooper ISO/IEC 20000-1:2011 project editor ITIL Master Independent consultant and trainer

Agenda
Introduction

OUP ISO/IEC 20000 certification

ISO/IEC 20000 2011 edition

The upgrade project

OUP view of the changes

Questions
Note ISO/IEC 20000 will be referred to as ISO20000

Introduction to OUP
Oxford University Press is a department of the University of Oxford established in 1633.

Our mission is to further the University's objective of excellence in research, scholarship, and education by publishing worldwide.
Globally we employee almost 6000 people, with offices in 50 countries making us the largest University Press in the world.

OUP ISO20000 certification

Karl Andrews

Oxford English Dictionary

Definition of Standard
An authoritative or recognized exemplar of correctness, perfection, or some definite degree of any quality. A definite level of excellence, attainment, wealth, or the like, or a definite degree of any quality, viewed as a prescribed object of endeavour or as the measure of what is adequate for some purpose.

Why ISO20000 at OUP?

Mature ITIL organisation

Greater dependency on IT to deliver innovative new services

Demonstrate value for money and justify further investment Prove that OUP provides IT Services to a world-class level

Benefits for OUP

Seen as a professional IT Service provider Defined processes and procedures to improve the quality of service to our customers Reduction in incidents The same for less, increase efficiency and removal of waste Engaged employees through continual improvements Supported new business developments

Summary of key changes in ISO/IEC 20000-1 2011 edition

Lynda Cooper

Service Management System

PDCA methodology

Management of other parties

Interested parties Customer

Service provider Customer acting as a supplier

Service provider team

External supplier Subcontracted supplier

Internal group

Supplier management

Managed by supplier, not service provider

Managed by SLM

Managed by SLM

Governance of processes operated by other parties

Interested parties Customer

Service provider Customer acting as a supplier

Service provider team

External supplier Subcontracted supplier

Internal group

Governance of processes operated by other parties

Design and Transition of new or changed services

Request for change, proposal for new or changed service

Change Policy

Design and transition of new or changed services process

Yes

Removal, Transfer, Major impact

No

Configuration management process

Release and deployment management process

Change management process

Certification and Qualification Schemes

(APMG scheme other schemes may vary)
For certified organizations who have already been certified within the Scheme before the 1st June 2011: Audits and re certifications of already certified organizations will still

be permitted using Part 1 (ISO/IEC 20000 1:2005) for a 24 month period to allow organizations the time to adapt to meet the new requirements. After 01 June 2013, only audits and re certifications using the ISO/IEC 20000 1:2011 will be accepted.
Qualifications for foundation, practitioner and auditor are now only available for the 2011 edition.

Requirements

The ISO20000 series and related standards

ISO/IEC 20000-1:2011 Information technology - Service management system requirements

ISO/IEC 20000-2:2012 Guidance on application of service management systems

ISO/IEC TR 20000-7 Guidance on the application of ISO/IEC 20000-1 to the cloud ISO/IEC TR 20000-11 Guidance on the relationship between ISO/IEC 20000-1 and related frameworks

ISO/IEC 20000-3:2012 ISO/IEC TR 20000-3:2009

Guidance
Scope definition and applicability of ISO/IEC 20000-1 ISO/IEC TR 20000-4:2010 Process reference model ISO/IEC TR 20000-5:2010 Exemplar implementation plan for ISO/IEC 20000-1

ISO/IEC 27013 Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001 ISO/IEC TR 90006 Guideline on the application of ISO 9001 to IT service management and its integration with ISO/IEC 20000-1

Concepts and terminology

ISO/IEC TR 20000-10 Concepts and terminology

Key Normative requirements standard Guidelines standard Guidelines being developed Fixed line: Supports

Further information
BSI books A guide to ISO/IEC 20000: The differences between the 2005 and the 2011 edition A managers guide to service management Introduction to the ISO/IEC 20000 series ITSMF books Planning and achieving ISO/IEC 20000 certification pocket guide http://blog.apmginternational.com/author/lyndacooper/

The upgrade project

Karl Andrews Lynda Cooper

ISO20000 2011 update project

2005 certified

2011 certified

Initiate update project Confirm scope Identify other parties Confirm governance Update documents Implement changes Provide evidence

Confirm 2011 audit with auditor Pre-certification audit Certification audit Assumption: 2005 edition requirements are met

OUP Scope
The IT Service Management system for application and infrastructure services supporting the activities of the Oxford University Press according to the Service Catalogue of OUP Group IT Services delivered from sites in Oxford and Kettering

Upgrade project approach

1. Awareness and planning 1. Workshop - key differences and approach 2. Logistics for stage 2 3. Top management presentation
2. Assess changes needed and make the changes

3. Audits 1. Pre-certification audit (evidence based) 2. Final changes 3. Certification audit 2011 edition

Upgrade project stage 2

By process or sub-process
Each process owner:
Workshop 1 : Discuss differences and agree required actions Revise all documentation Workshop 2: Review documentation, plan implementation and required evidence Implement changes

Workshop with other parties where required

Raise awareness of how changes will impact working together Investigate roles of suppliers and internal groups

Timeline
Surveillance audit in August for 2005 edition

Awareness Planning

2 April/Sept
Workshops Updating documents Implementing the changes Communication

Precertification audit Certification audit

1 - March

3 Oct/Nov

The simplest upgrade areas

Incident and service request
Problem Capacity Budgeting and accounting for services

Configuration
Service reporting

Business relationship

Medium level of changes

Service level management

Service continuity and availability

Supplier management

SMS general requirements

Governance of processes - OUP

Interested parties Customer

Service provider

No impact But it took several meetings to understand what was meant and to determine if there were internal groups
Customer acting as a supplier

Service provider team

External supplier

Internal group

There are suppliers but they do not operate any of the processes

IT and business project groups do not operate any of the processes but interface with new/changed, change, release, config. mgt

None

Large level of change

Information security management

Ensure legal requirements are clear data protection, PCI, licensing Create information security objectives Risk management extended to cover all services and more frequent assessments Controls present but need to be documented Controls for external parties exemplary!

Large level of change

Change management
Expansion of change management policy Criteria to determine changes with the potential to have a major impact on services or the customer Use of tasks in SM tool before RFC is raised SAP transport changes dealt with through SAP system and team with minimal workflow through the change management process Ensure RFCs are assessed for impact on related processes continuity plan, availability plan, information security etc

Large level of change

Release and deployment management
Scope of release process project releases Other releases in change process Overlap with design and transition of new or changed services process
Support of selection of changes to be run as a project

The biggest change of all

Design and transition of new or changed services
Various workshops and presentation to IT board Identified by IT board as an area requiring improvement - use the upgrade as an opportunity to make step change Decision made to create a new position to own this process and work closely with the Project groups to ensure that all new or changed services are planned, designed, developed, tested and implemented to meet the ISO20000 requirements and ensure successful service delivery

Project experiences - constraints

Fitting this in with the day job

Surveillance audit to 2005 edition in August do not implement new items until after this audit

Lessons learned
Allow lots of time to upgrade

Bring in an expert speeds up the process and allows objectivity

Try to make the changes as improvements Implement using change management

Use the opportunity to make improvements and step changes for weaker areas

Project outcome
All simple, medium changes made and implemented

All large changes made and starting to be implemented

Design and transition of new or changed services process, solution to meet new requirements using release and change mgt. To be improved into a separate process next year 2011 upgrade audit with DNV on Thursday!

OUP views of the updated standard

ISO/IEC 20000:2011 has
Provided greater clarity on all processes Strengthened the importance of design and transition

The project to upgrade has

Saved time by using an expert Focused effort Simple, to the point, effective

Next steps to upgrade your ISO20000 certification

31st May 2013 last date for audit to 2005 edition

Upgrade activities for 2011 edition

Assessment against 2011 edition

Questions
Lynda.cooper@service20000.com Karl.andrews@oup.com