Professional Documents
Culture Documents
EXIN IT Service
Management
Foundation based on
ISO/IEC 20000
Edition January 2014
DISCLAIMER:
Although every effort has been taken to compose this publication with the utmost care, the Authors,
Editors and Publisher cannot accept any liability for damage caused by possible errors and/or
incompleteness within this publication. Any mistakes or omissions brought to the attention of the
Publisher will be corrected in subsequent editions. All rights reserved.
COPYRIGHT
©2014 All rights reserved. No part of this publication may be published, reproduced, copied or
stored in a data processing system or circulated in any form by print, photo print, microfilm or any
other means without written permission by EXIN.
Edition: 2014
Since its emergence in 2005, the international standard ISO/IEC 20000 has certainly become a
compulsory reference for professionals and companies related to IT Service Management (ITSM).
So much so that a great number of private companies and public institutions, such as the US
Department of Defense has adopted this standard.
EXIN, world leader in the field of Information Management for the certification of professionals, was
a pioneer in developing a qualification scheme for people based on ISO/IEC 20000, providing the
professional not only with the knowledge of the first part of the standard (the requirements), but
also with the experience of all our expert contributors in traditional frameworks of IT Service
Management best practice, making the ITSM scheme based on ISO/IEC 20000 the appropriate
scheme for organizations and professionals that want to get the most out of the standard, without
obsessing about the requirements to fulfill.
The aim of this workbook is to be a helpful support for students of ITSM Foundation based on
ISO/IEC 20000. Although the book itself could serve to prepare for the certification of the exam
based on ITSM Foundation of ISO/IEC 20000, it is highly recommended, as far as possible, to
attend official training that any accredited EXIN partner may offer in a large number of countries.
Furthermore, sharing experiences with colleagues and trainers will certainly enrich the reading of
this text.
Ricardo Santiago
Area Manager of Spain, Portugal and Latin America
EXIN
Colophon 2
Prologue 4
Table of contents 5
Introduction 7
1 Introduction to IT Service Management 10
1.1 The importance of quality in IT services 10
1.2 Basic concepts of quality frameworks 23
Exam Preparation: chapter 1 38
2 The Service Management System (SMS) 42
2.1 What is a Service Management System (SMS)? 42
2.2 SMS general requirements 44
2.3 Establish and improve the SMS 50
Exam Preparation: chapter 2 55
3 Service Design and Transition 59
3.1 Basic concepts of Service Design and Transition 59
Exam Preparation: chapter 3 62
4 The service delivery processes and their relationships 64
4.1 Service Level Management 64
4.2 Service Reporting 67
4.3 Service Continuity and Availability Management 68
4.4 Budgeting and Accounting for Services 72
4.5 Capacity Management 75
4.6 Information Security Management 77
Exam Preparation: chapter 4 80
5 The relationship processes and their relationships 85
5.1 Business Relationship Management 85
5.2 Supplier Management 88
Exam Preparation: chapter 5 91
6 The resolution processes and their relationships 94
6.1 Incident and Service Request Management 94
6.2 Problem Management 97
IT Service Management (ITSM) quality is one of the most important requirements to provide
valuable services that add value to the business. The ISO/IEC 20000 standard for the IT Service
Management has been able to join together the principles of ISO quality management and the
standard ITSM processes in the market.
The purpose of this book is to help in the preparation of EXIN ITSM Foundation based on ISO/IEC
20000 exam, providing an overview of IT Service Management from the perspective of ISO/IEC
20000. It addresses fundamental concepts, such as the quality, the frameworks, the services
provided to the business and the processes that support, control and facilitate those services.
The exam consists of 40 multiple-choice questions. Throughout the chapters of this book you will
find examples of these exam questions, along with others focused on the understanding of
concepts that will help fix the ideas, which can be found at the end of each chapter. The exam
specifications are given at the beginning of each chapter, and the weight of each of the topics is
shown as a percentage of the total.
The book is aimed at those who wish to prepare for the exam to obtain EXIN ITSM Foundation
based on ISO/IEC 20000 Certification, those interested in IT Service Management or those who
play a role in this field. This includes staff from internal and external service providers, their
customers and their managers.
After reading chapter 1, you will be able to understand the basic concepts in which IT Management
is based on and the standards and frameworks related to it. Thereby you will then achieve the
following objectives:
The concept of quality is commonly used in our language. We talk about “good quality” or “bad
quality” when referring to a product or a service acquired, to express if we are satisfied with it or not.
But, what makes the quality be “good” or “bad”? Regarding to what are we comparing this service
or product for making this assessment?
To avoid misunderstandings we should define first what quality is. The ISO 9001 standard, which
defines how a quality management system should be (and in which the ISO/IEC 20000 standard is
based on), says that:
We can talk about quality when the customer obtains every single characteristic expected from a
product or service.
The customer has the last word on whether the service or product acquired fulfills his or hers
expectations. Therefore, any product or service that meets the customer requirements, in the terms
previously agreed, is a quality product or a quality service.
Quality has not always been a strategic concept on business. At the beginning of XX century,
quality on production chains was restricted to the inspection of the final product, before customer
delivery. This prevented the delivery of wrong products, but neither products nor processes were
improved, what implied and additional cost for the customer, meaning that quality was expensive.
This was a valid method while the demand was higher than the offer. However, when the situation
turned around, the customer expectations increased not only in quality terms but also in the product
cost. As a result, quality wasn’t limited to the final product anymore, as it extended to the complete
manufacturing process (“…it has to be well done from the very first time…”)
During the 80´s, quality became a strategic element in business, a differentiating factor that could
help position the offer of the company ahead of their competitors. The concept of Total Quality
Management (TQM) appeared. This is a management strategy developed by several American
consultants, W. E. Deming and Joseph Duran among them. Kaoru Ishikawa, a well-known expert in
quality management, defined TQM as "Philosophy, culture, strategy or management style of a
company according to which all persons in the same, study, practice, participate and promote
continuous quality improvement."
In 1987, International Organization for Standardization (ISO) adopted a set of quality standards
known as ISO 9000, which has been developed at any kind of Organization. ISO 9000 certification
guarantees that an organization is ruled by TQM principles.
As we saw in the previous section, through the evolution of quality, over time it has grown from a
simple check of a finished product to quality management in which what is sought is customer
satisfaction. Therefore we can say that:
Quality management includes everything the organization does to ensure that its products or
services meet customers’ quality requirements and to comply with all the applicable norms to
those products or services.
When the ISO 9000 family of standards (international standard for quality management) was drawn
up, eight basic principles were established to underpin the whole system of quality management.
These principles, according to what is stated in ISO 9001, are as follows:
2. Leadership Leaders are responsible for guiding the organization, and motivate
and involve the staff in its objectives.
3. Involvement of people It is essential that all staff, whatever their level is, gets involved
putting their skills at the disposal of the organization.
4. Process approach Activities and related resources are much more efficient when they
are managed as a process.
7. Factual approach to Only an analysis of existing data and information enables effective
decision making decision-making.
8. Mutually beneficial The organizations depend on their suppliers in order to meet its
supplier commitments with their customers. Therefore, a mutually
relationships beneficial relationship enhances the ability of both parts to add
value to their work.
Figure 1.4: Quality Management Principles (Source: ITeratum, based on ISO 9001)
During the last decades, the relationship between IT and the rest of the business has evolved. It
was usually considered that Information Technology used to generate products: computers,
systems, applications, etc. However, at the same time that the quality concept was being reinforced,
the relationship between business and IT was changing and increasingly moving towards a
relationship in which the business demands to IT were not just products but services.
ITIL® gives the following definition of a service that has been adopted by ISO/IEC 20000:2011:
Service is a means of delivering value for the customer by facilitating results the customer wants
to achieve without having to assume ownership and responsibility for the costs and risks involved.
Let's look at a simple example. Let’s suppose one day we decide to eat pizza. One possibility is to
move to a pizzeria, buy the one we like and take it home for dinner. In this case, we are buying a
product.
Another possibility would be to make a call to the pizzeria to order the pizza. In this case, an
operator would receive the order, someone else would elaborate it and a third person would take it
to its vehicle to bring us the pizza home for dinner. We could even make a claim in the event that
the pizza does not arrive in the proper conditions. In this case, we are making use of a service
(home delivery service).
Consequently, we may say that an IT Service is any service provided by the IT organization to the
business. Although information technology uses products for the provision of IT services, nowadays
it is being increasingly accepted that IT activities are within the domain of services.
They are intangible: they have tangible components but they are much more than the
simple combination of these components.
They are produced and consumed at the same time: they cannot be stored.
They are highly variable: not only machines are involved in the services, but also people.
The user gets involved in the service production: it is common that the user has to perform
certain actions so that the service can be used.
Satisfaction is a subjective concept: products can be valued before purchase, but you
cannot judge a service that has not been received yet.
From a technical point of view, we can say that a service consists of an information system that is
linked with a particular support and that is delivered to the customer with certain quality levels that
have been previously agreed.
Information Systems: An information system is a bundle of elements intended to perform the
management and administration of data used in the business
processes information control or support. Basically it consists of
people, products, processes and associated suppliers.
One of the main challenges of providing services is to achieve that the quality perceived by
customers and/or users is aligned with their expectations and that this quality is maintained over
time. To this end it is necessary that the service provider fully understands the customer
expectations, has the knowledge to convert them into real services and carries out continuous
monitoring in order to avoid disparities between what the customer expected and his or her
perception of the service received.
To avoid these disparities ("gaps") it is important that both, the customer and the provider, speak
the same language (COBIT®, ITIL®, etc.), that the customer clearly specifies which his or her
expectations are, and the provider adaptability in order to face the common changing situation of
services.
A continuous review and evaluation of services between the customer and the provider will allow
an increasing alignment between what the business demands and what IT provides, as well as an
adjustment in costs more effective and efficient.
To get an organization to work effectively it is necessary to carry out a large number of interrelated
activities. It is important that these activities can be controlled and managed from beginning to end,
so that the organization is able to achieve its objectives. To this end the process-oriented approach
is used. But, what does process mean? ISO 9001:2005 defines it as:
A process is an activity or a group of activities that uses resources and that is managed in order to
get the input elements transformed into outcomes.
As we have seen in the previous section, an important point of process orientation is that it allows
identifying improvement opportunities. However, to find out if we do something in the process that
is likely to be improved, we should be able to perform measurements of what is happening in the
process, that is, we need to be able to evaluate the process.
To this end Critical Success Factors (CSF) and Key Performance Indicators (KPI) are used. A CSF
is something that must happen for a service, process or activity to be successful, while the KPIs are
used to measure the achievement or not of each CSF. CSFs are qualitative while KPIs are
quantitative elements.
For example, a CSF could be "avoiding IT services being affected when changes are made". That
can be measured by KPIs as "reduction percentage of failed changes", "reduction percentage of
incidents due to changes", etc.
A role is a set of responsibilities, activities and authority levels defined in a process and assigned
to a person or group of people.
Process Owner: responsible for describing the process and its results.
Process Manager: responsible for the operation of the process, the day-to-day control and
management.
Process Personnel (teams or professionals): responsible for certain activities.
It is important to highlight that a person or a team may be able to perform multiple roles.
Set of capabilities and processes to direct and control the service provider's activities and
resources for the design, transition, delivery and improvement of services to fulfill the service
requirements
Regarding to IT services, the 2011 edition of ITIL® specifies that IT Service Management (ITSM) is
"the implementation and management of IT quality services that meet business needs by service
providers, through a combination of people, processes and technology".
There are basic relationships in ITSM between each of its components: customers, business
processes, IT services and service providers:
The benefits and potential risks or difficulties of IT Service Management are shown in the following
comparison chart:
To carry out the usual tasks of the IT Service Management it is normal to make use of number of
elements (applications, systems, customized developments, etc.) which facilitates the automation
of processes in our daily work. These elements are those generally known as “tools”.
The use of tools is very important because it allows increasing efficiency, with the subsequent cost
reduction, while providing evidence of the processes carried out. ISO/IEC 20000-1:2011 mentions
tools stating “appropriate tools may be used to enable the service management processes to be
effective and efficient”.
Over the last decades ITSM tools, with different complexity, expensiveness, scoping and functional
features, have arisen in the market. Some of the most typical tools that can be found are:
Monitoring tools
Distribution / software discovery / hardware tools
Integrated sets of tools for Service Management
Design and control of workflow tools
Infrastructure remote management tools
In any case, the fact that a company has an ITSM tool does not mean that the Service
Management is implemented by itself, in the same way that the fact of having a piano does not
mean you know how to play it.
We should not make the mistake of confusing the implementation of the Service Management with
the implementation of a provider’s tool, even though it is very powerful and famous. In Service
Management it is necessary to take into account other factors linked to technology: people,
processes and providers/suppliers.
When we discussed about Quality, one of the eight principles of the Quality Management was the
continual improvement. To simplify, we can say that continual improvement consists of providing
the necessary means in order to make things increasingly better.
This could seem easy at first, but implies an effort and a significant involvement by all the staff in
the organization, from top management to the lowest level employees, so that gradual
improvement becomes a reality.
Plan: To establish, document and agree on Service Management System (SMS), including
the policies, objectives, plans and processes necessary to design and deliver services
aligned to business needs, customer requirements and service provider's policies.
Do: To implement and operate the SMS for the design, transition, delivery and
improvement of services, assigning roles and responsibilities.
Check: To monitor, measure and review the SMS and the services against the plans,
policies, objectives and requirements and to report on the results.
Act: To take actions to continually improve SMS performance. This includes the service
management processes and the services themselves.
The International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) define a specialized system for worldwide standardization. Their technical
committees (JTC Joint Technical Committees) collaborate in areas of mutual interest, being an
example the ISO/IEC JTC 1, which is responsible for the preparation of the ISO/IEC 20000
standard.
ISO/IEC 20000 is an international standard which aims to ensure the provision of managed
services according to an acceptable level of quality for customers negotiated with them.
It was released for the first time on December 15, 2005 (this standard is known as ISO/IEC
20000:2005). It was reviewed later on (all standards must be reviewed every five years) in order to
align with other existing standards, practices and technologies, releasing the ISO/IEC 20000:2011
on April 15, 2011.
The ISO/IEC 20000 promotes the use of the PDCA methodology. It is a process-based standard
that does not consider a life cycle for services. However, stages of Design, Transition, Operation
and Improvement of such services can be identified. This standard consists of several parts:
As shown in the chart, neither all parties are published nor are in the same evolution state. In this
book, the two parts we will focus on will be Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC
20000-2:2012).
Part 1 considers what the standard calls the “shalls”, that is, “what to do” in an SMS, while Part 2
considers the “shoulds”, or “what should be done”. In other words, while Part 1 provides information
about what is mandatory according to the standard, Part 2 provides recommendations to be
followed.
When an audit mentions breaches or non-conformities with the standard, it is referring to those
points of the SMS that do not adhere to the requirements of ISO/IEC 20000 Part 1.
Depending on the approach with regards to this international standard, different groups may find it
helpful:
Organizations:
o For any organization seeking services from
service providers and requiring assurance
that their service requirements will be
fulfilled.
o For any organization that requires a
consistent approach by all its service
providers, including those in a supply chain.
Service Providers:
o For a service provider that intends to demonstrate its capability for the design, transition,
delivery and improvement of services that fulfill service requirements.
o For a service provider to monitor, measure and review its service management processes
and services.
o For a service provider to improve the design, transition and delivery of services through
effective implementation and operation of an SMS.
Assessors or Auditors:
o For an assessor or auditor as the criteria for a conformity assessment of a service
provider's SMS to the requirements of the standard.
Both, Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC 20000-2:2012) of the standard, are
divided into a number of uniform sections that deal with similar subjects. These sections are:
1. Scope
2. Normative references
3. Terms and definitions
4. Service management system general requirements
4.1. Management responsibility
4.2. Governance of processes operated by other parties
4.3. Documentation management
4.4. Resource management
4.5. Establish and improve the SMS
5. Design and transition of new or changed services
6. Service delivery processes
6.1. Service level management
6.2. Service reporting
6.3. Service continuity and availability management
6.4. Budgeting and accounting for services
6.5. Capacity management
6.6. Information security management
7. Relationship processes
7.1. Business relationship management
7.2. Supplier management
8. Resolution processes
8.1. Incident and service request management
8.2. Problem management
9. Control processes
9.1. Configuration management
9.2. Change management
9.3. Release and deployment management
Figure 1.10: Sections of the standard & Processes (Source: ISO/IEC 20000-2)
There are multiple standards, frameworks, best practices and new technologies that have grown to
currently conform the current panorama of Information Technology Service Management. Since
each of them tends to focus on a specific part of ITSM, taken together form a view in which they
complement and reinforce the effectiveness and efficiency that an organization can achieve
through their knowledge and use.
1.2.4.1 ITIL®
In its latest review (2011), ITIL® takes into account 26 processes, many of them closely related to
those considered in the ISO/IEC
20000:2011 standard. Because of this,
it is used by many organizations as
the body of knowledge which
supports the implementation of
ISO/IEC 20000.
COBIT®, Control Objectives for Information and Related Technologies, is a worldwide accepted
reference framework for the IT Governance based on the standards and best practices of the
industry.
It was created by ISACA in 1996, and then jointly developed with ITGI®, with the objective of being
used in the audit of information systems. Later on it has
evolved into a framework for IT Management. ISACA, the
Information Systems Audit and Control Association, defines
the purpose of COBIT® as "helping IT professionals and
business leaders fulfill their governance and management
responsibilities, particularly in the areas of assurance,
security, risk and control, in order to add value to the
business". ITGI® (IT Governance Institute), is a non-profit,
independent research entity that provides guidance to the
global business community on subjects related to corporate
Figure 1.13: COBIT® 4.1 (Source: ISACA)
governance of IT assets. The ITGI ® was established by
ISACA in 1998.
At the time when this book was published, two versions of COBIT® coexisted: version 4.1, widely
spread and which appeared in 2007; and version 5 recently released (2012). Version 4.1 is
structured in 4 domains or groups of
processes (Plan and Organize, Acquire and
Implement, Deliver and Support and
Monitor and Evaluate). These four domains
altogether encompass 34 processes. For
each of these processes, COBIT®
proposes a number of indicators to monitor
and control targets.
The COBIT® 5 Process Reference Model subdivides the activities and practices of the
Organization related to IT into two main areas, Government and Administration. The Administration
area is also divided into domains of processes:
The Government Domain contains five government processes, each of them consisting of
practices defined for Evaluate, Direct and Monitor (EDM).
The four domains of the Administration are aligned with the responsibility areas of Plan,
Build, Run and Monitor (PBRM). These are:
o Align, Plan and Organize
o Build, Acquire and Implement
o Deliver, Service and Support
o Monitor, Evaluate and Assess
Six Sigma® is a process improvement methodology which aims to reduce defects, where defect is
anything that falls out of customer's specifications. The main objective of Six Sigma® is to reduce
errors to less than 3.4 defects per million executions (regardless of the process in question).
Six Sigma® applies statistical tools to study the processes. That is the reason behind its name:
“sigma” is the standard deviation, which indicates the variability in a process. The efficiency of a
process may be classified according to its level of sigma (DPMO = defects per million events or
opportunities):
Capability Maturity Model Integration (CMMI®) is a model to assess the maturity of processes
carried out in an organization, setting a method for gradual improvement.
Organizations may evaluate their maturity level against CMMI® using the Standard CMMI
Appraisal Method for Process Improvement (SCAMPI).
The ISO 9001 standard specifies the requirements to be met by a Quality Management System in
an organization, regardless of the product or service provided and the type of organization in
question.
The ISO 9001 standard has already been mentioned when we talked about Quality Management.
Among its main contributions, the 8 basic principles for the Quality Management stand out:
1. Customer focus
2. Leadership
3. Involvement of people
4. Process approach
5. System approach to management
6. Continual improvement
7. Factual approach to decision making
8. Mutually beneficial supplier relationship
ISO 9001 describes only general processes: organizational management, resource management,
product or service development, measurement, analysis and improvement. On the other hand,
ISO/IEC 20000, relying on ISO 9001, deepens and focuses on the issues related to Service
Management.
The ISO/IEC 27001 standard specifies which requirements must be met by an Information
Security Management System of (ISMS).
This standard is closely related to ISO/IEC 20000, up to the point that if an organization is certified
in ISO/IEC 27001, wants to become certified on ISO/IEC 20000, and the scope specified for both
standards is the same, ISO/IEC 20000-1 section 6.6 (Security Management Information) is not
required.
ISO/IEC 27000, just as other ISO standards, is based on the PDCA cycle:
And the family of standards is still growing (27011, 27031, 27033, 27035…).
The ISO/IEC 38500 is the standard for IT Governance. Its purpose is to promote an acceptable,
effective and efficient use of Information Technology in organizations.
With Corporate Governance we mean the set of directions, policies, processes and regulations by
which the companies are ruled, operated and controlled whatever their sector is. The ISO/IEC
38500 standard refers to "IT Corporate Governance" and not "IT Governance". The reason behind
is that there is not a separate set of rules for Information Technologies, but they have to comply
with the same rules that govern the business.
The IT Corporate Governance should be carried out through three main tasks:
Evaluate: reviewing and assessing strategies and proposals, taking into consideration the
present and future business needs.
Direct: define and assign responsibilities for the implementation of plans and policies.
Monitor: using measurement systems, monitor performance and conformance to external
obligations.
Information Technology Service Management, by its very nature, is highly influenced by the
emergence of new or other technologies that evolve from traditional technologies that are driven by
technical advances.
Joining this to the interest of companies in optimizing their resources cost-efficiently, we find as a
result that a series of "New" Technologies come into play. Those technologies add to frameworks,
standards and best practices to enrich the available possibilities for the IT Services Management.
Among the most successful we find the following:
Although every standard and/or framework previously seen may be used separately and be
sufficient for an organization, none of them provide a comprehensive solution to IT Management.
However, there is neither competition nor exclusion between them. Furthermore, they often have
overlapping areas, thereby becoming complementary elements.
Many organizations make use of a combination of them for a more effective management and
improvement of Information Technologies. Some companies have chosen a combination of ITIL®,
CMMI® and Six Sigma® as the best option, whereas others have preferred the option of ITIL® plus
COBIT® in order to transform their organization. There is no specific formula. Every organization
should choose their formula depending on their own needs and targets. The following table is a
summary of the elements studied and some possible combinations:
It is remarkable that all these frameworks and standards have a concept in common: the
commitment of people. People make it possible to apply them.
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
2. A service provider can integrate their Service Management System with a quality
management system or an Information Security Management System to provide the highest
level of service to the customer. Which standard supports the Quality Management System?
A. ISO 9001
B. ISO/IEC 27001
C. COBIT®
D. ITIL®
5. Why is it important that reviews are conducted regularly during the Check phase of the Plan-
Do-Check-Act (PDCA) methodology?
A. To be able to allocate roles and responsibilities
B. To be able to define the objectives and requirements that are to be achieved by Service
management
C. To be able to establish the Service management policy, objectives and plans
D. To determine whether the Service management requirements are effectively implemented and
maintained
7. A process is a set of interacting activities which transforms inputs into outputs. What is the
Process owner responsible for?
A. Describing the process
B. Operating the process
C. Providing process reports
D. Setting up the process
Exam Terms
Quality, Quality Management, Service, Customer, Process, Process orientation, ITSM, Roles,
PDCA, Deming Cycle, Framework, IT Governance, Maturity Model, Best practices, International
Standard, Customer Focus, Service Management Tools.
After reading chapter 2, you will be able to understand the role of the SMS within the organization.
Thereby you will then achieve the following objectives:
2.2 Understand the core concepts of the Service Management System (10%)
You will be able to:
2.2.1 Describe the objective of planning and improving service management
2.2.2 Describe the continual improvement methodology for service management processes
2.2.3 Describe the key principles of producing and implementing a service management plan
2.2.4 Describe the requirements for monitoring, measuring, reviewing and improving the processes
The ISO/IEC 20000:2011 defines an SMS as a management system to direct, monitor and control
the service management activities of the service provider.
The SMS should include what is required for the planning, design, transition, delivery and
improvement of services. At a minimum this includes service management policies, objectives,
plans, processes, process interfaces, documentation and resources. The SMS encompasses all
the processes as an over-arching management system, with the service management processes
as part of the SMS.
The service provider is accountable for the SMS. It does not mean that the provider is not allowed
to delegate certain activities to third parties. However, delegating does not imply the provider is
exempt from its liability to the customers to whom he provides services. In this case, the service
provider can demonstrate evidence of fulfilling all the requirements of the ISO/IEC 20000-1
standard, proving he has control (government) over those processes operated by suppliers (third
parties).
In the following chapters we will deepen into each relevant section of the standard, that is, sections
4 to 9.
We have previously seen that quality is a concept that requires the commitment of everyone
working in a company (total quality). This must be clearly shown right from the top of the
hierarchical structure of the organization, which should be an example to be followed by the other
levels.
Top management should be the management who direct, monitor and control the service provider
at the highest level.
Management Top management should ensure that all service lifecycle stages are
commitment delivered to the agreed levels, as defined in the service requirements.
The service lifecycle includes planning, implementation, operation,
monitoring, measurement, review, maintenance and continual
improvement. The service lifecycle also includes transfer of the service to
a customer or a different party or eventual removal of the service.
Service The service management policy should be specific to the service
management provider's circumstances and have a customer focus. The policy should
policy be based on the agreed scope of the SMS and represent top
management direction and commitment to fulfill service requirements.
Authority, The service provider should ensure that the authorities and
responsibility and responsibilities for all aspects of the SMS are defined. Top management
communication should be accountable for ensuring that communication procedures are
designed, transitioned, implemented and used.
Management The management representative should be the member of the service
representative provider’s management team who has the authority to ensure that the
SMS is established, used, improved over time and in alignment with the
changing needs of the business.
According to ISO/IEC 20000-2, the service provider should be able to identify all service
management processes or parts of processes that are operated by other parties, to have an end-
to-end visibility of the performance of the other parties and to be able to demonstrate control of all
of them. This should be supported by all contracts and other documented agreements.
Internal groups, who are organizational units inside the same organization as the service
provider, but not within the direct control of the service provider, (e.g. a specialist security
team)
Customers acting as suppliers (e.g. the customer performing some of the activities of
incident and service request management)
Suppliers (e.g. outsourcing of the testing done as part of the release and deployment
management process)
The governance of processes operated by other parties is described in detail in the Part 3 of the
standard (ISO/IEC TR 20000-3:2009).
Documentation is an essential element within the Service Management System, as well as the
effective management of such documentation. The Section 3 of ISO/IEC 20000:2011-1 defines
document and record as follows:
The service provider should ensure that evidence is available for any audit of the SMS. Much of the
evidence should exist in the form of documents. Documents may be any type, form or medium
suitable for their purpose (e.g. paper based, electronic files or in a database). The following
documents can be considered as evidence for an audit of the SMS:
A good Document Management ensures efficient planning, operation and control of the SMS.
The service provider should understand that an effective procedure is essential for the production
of documents, including records. This includes the use of a naming and numbering system that
aligns with the purpose and revision history of documents. The use of templates and standardized
format can reduce the effort of creating, accessing, updating and using the content.
Once produced, the documents should be subjected to a control that should include periodic
reviews, at least annual, with updates if necessary. This control can provide visibility of the impacts
of changes (e.g. to a service level agreement).
The service provider should develop a number of procedures with the necessary authority and
responsibility levels for the adequate control of documents. This way, different levels of authority
would be allocated for writing, editing, reviewing, approving, updating, removal and archiving of
documents.
Records associated with the SMS should be aligned to the requirements of ISO/IEC 20000-1,
statutory and regulatory requirements and contractual obligations (for example, retention of records,
archival and disposal practices).
The service provider should make available all resources agreed in the plan to establish,
implement, maintain and improve the SMS and the agreed services.
Human resources play a key function in IT Service Management. Defining the role in the SMS and
the authority level assigned to each person, should be found within the service provider
commitments.
A very useful tool when performing this task is known as the RACI responsibility matrix. RACI is an
acronym that stands for Responsible, Accountable, Consulted and Informed.
The authorities and responsibilities for each service management process in the SMS should
include:
The competence required for a role should be based on analysis of the specific characteristics and
requirements of that role. This should include but not be limited to: education (certificates), training,
skills and experience. The service provider should be aware of this and, consequently:
Should maintain the appropriate education, training, skills and experience records.
Top management should ensure that personnel are aware of the relevance and importance of their
activities and of how they contribute to the achievement of service management objectives.
The service provider should establish whether ISO/IEC 20000-1 is applicable to their
circumstances early in the planning stage, as well as define the scope of the SMS. When defining
the scope of the SMS the following parameters should be considered:
For the SMS to be effective, the service provider should continually improve the SMS and the
services using the PDCA methodology. Part 3 of the standard (ISO/IEC TR 20000-3) gives advice
on defining the scope of the SMS and checking the applicability of ISO/IEC 20000-1 to the service
provider’s circumstances.
The plan for the SMS should cover all aspects of service management and delivery of services. To
this end it is important to design a plan, known as Service Management Plan, which includes but is
not be limited to the aspects given below.
The service provider should implement and operate the SMS in alignment with the service
management plan and as a means of achieving the service management objectives. To this end,
the following activities should be carried out:
SMS implementation
Budgets allocation
Assign roles and responsibilities
Manage and maintain policies, plans and procedures for
each process
Risk identification and management
Service management process coordination
Teams and facilities management
Monitor and report on services activities
Tracking of the Service Management Plan
The service provider should continuously monitor, measure and review the service management
objectives and plan the necessary activities to ensure they are being achieved.
After conducting audits, the reviews, evaluations, results and corrective actions identified should be
documented. In case of non-compliance, all parties concerned should be informed. Different levels
of assessments and audits can be set:
Self-assessment: A department assesses their own procedures. Necessary, but not very
objective.
Internal audit: Carried out by an internal department within the organization. The
auditor belongs to the same organization but is not involved in the
department being audited.
Top management should review the SMS at planned intervals to check that it continues to enable
the fulfillment of changing business needs and service requirements. The review can be performed
against:
Continual improvement is one of the core concepts of ISO/IEC 20000. The standard states that a
strategically approach should be used, establishing an SMS and services continual improvement
policy. This should include evaluation and prioritization criteria of the improvement opportunities.
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
4. Why are processes and procedures required for a service management system?
A. To be able to define service management objectives in a structured manner
B. To ensure that service issues never arise
C. To provide consistency in the output from activities
D. To satisfy the needs of major suppliers
5. What should be recorded as a baseline prior to implementing a plan for service improvement?
A. Backlog of changes for the service
B. Number of staff involved
C. Service or component configurations
D. Time taken to operate the process
6. Personnel should be competent on the basis of appropriate education and experience. What
is a requirement relating to competence?
A. Appropriate records of education, training, skills and experience need to be maintained
B. At least two employees should be suitably trained for each role
C. Employees should have at least a relevant bachelor's degree
D. Personnel should all have a relevant Security training according to ISO/IEC 27002
Exam Terms
Service Management System (SMS), Third Party, Service Management Policy, Document, Record,
Resources, Process Owner, Process Manager, Scope of the SMS, Planning the SMS,
Implementing the SMS, Monitoring and Reviewing the SMS, Maintain and Improve the SMS.
After reading chapter 3, you will be able to understand the importance of the Service Design and
Transition process when transferring a service to the real production environment. Thereby, you will
then achieve the following objectives:
3.1 Understand the core concepts for service design and transition (5%)
You will be able to:
3.1.1 Describe at a high level the management requirements for new/changed services
3.1.2 Describe at a high level the requirements for planning new/changed services
3.1.3 Describe at a high level the requirements for designing new/changed services
3.1.4 Describe at a high level the requirements for transitioning new/changed services
3.1.1 General
The objective of the design and transition of new or changed services process is to establish and
implement the necessary plans to control the delivery of the new or change services offered by the
provider.
This process works closely with control processes (Change Management, Configuration
Management and Release and Deployment Management) and applies not only to new or changed
services but also to the withdrawal of services and the transfer or recovery of services to or from
third parties.
Even though control processes are at the
core of managing all changes to the SMS
and the services, the scope of this process
goes beyond the junction of the three
control processes. According to ISO/IEC
20000-2, this process should be applied to
new or changed services that are either
high risk or have a potentially major impact
on services or the customer, or wherever
there are interfaces with tasks or
deliverables that fall outside the scope of
SMS. Figure 3.1: Main processes in transition (Source: ITeratum)
The service provider will determine for what changes it is appropriate to use the new or changed
design and transition process (e.g. when the change affects more than one service or location,
where the risk of infringing any protection data law exists, etc.) For each provider and situation it is
quite usual that the criteria vary.
Any new or changed services to which Section 5 of the ISO/IEC 20000:2011 standard applies
should be managed as a project due to the size, risks and scope of the changes. The service
provider should consider the potential impact of such a service and ensure a strong coordination
between the change management process and the project management roles and authorities, from
the earliest possible stage of the project.
When another party is involved in the new or changed services, the service provider should do a
thorough review. The review should evaluate the capability of the other party to fulfill their
commitments, including the agreed service requirements. The review should also evaluate the risk
to the existing services and support environment.
If there were some other party involved in the project besides the service provider (suppliers,
stakeholders, etc.), the service provider should do a thorough review of the ability of the other
parties to fulfill the commitments agreed with the customer as well as the risk these parties raised
for the project.
If a service is to be removed, this should be planned and documented in a service removal plan.
The plan should include:
The conditions where removal applies
The objectives and success factors of the removal
Governance of processes operated by other parties
Roles, responsibilities, constraints and risks
Activity breakdown, milestones and deliverables
The design of the service should be documented and agreed upon by all the interested parties prior
to the development stage. The design should take into account current service requirements and
information security considerations, as well as the resource capacity projections for growth during
the anticipated life of the service. Likewise, this stage should ensure that the resulting designs meet
the business requirements.
The main intent of this stage is to ensure that the service requirements are met. The transition of
services should include the building, test and acceptance of the new or changed services followed
by making operational the new or changed services through the Release and Deployment
Management process, under the supervision of the Change Management process.
The transition should be reviewed with the customer and interested parties to establish that it is
ready for live operation. To this end, a number of service acceptance criteria should be previously
set in order to get the customer compliance.
To help prepare for the exam, we have included a number of conceptual questions (the answer key
can be found at the end of this workbook). Additionally you are provided with an overview of terms
with which you should be familiar.
Conceptual Questions
1. In which cases it is especially adequate to apply the Design and Transition of new or changed
services process?
2. Which is the approach that should be used when planning a modification of an existing service
that is vital for the business?
3. List three elements to be considered when designing new services.
Exam Terms
After reading Chapter 4, you will be familiar with the delivery processes. This will allow you to reach
the following objectives:
4.1 Understand the service delivery processes (Service Level Management, Service Reporting,
Service Continuity and Availability Management, Budgeting and Accounting for Services, Capacity
Management and Information Security Management) (15%)
You will be able to:
4.1.1 Describe the objectives and quality requirements
4.1.2 Describe the activities and practical application for each process
Objective: to ensure that an agreed service is provided and that service targets are met. This
process ensures that agreed services and service targets are documented in a way that is easily
understood by the customer.
The Service Level Management (SLM) process should define, agree, document, monitor, report
and review the services delivered. The SLM process works closely with the Business Relationship
Management (BRM) process and the Supplier Management Process in order to ensure a correct
end-to-end service delivery. Customer satisfaction is a key element for success.
Term Definition
Service Level Acceptable level of service quality.
Service Level Agreement (SLA) Documented agreement between the service provider and
customer that identifies services and service targets.
Service Level Requirements (SLR) Detailed list of customer requirements on various aspects of
an IT service. SLRs are essential to reach SLAs.
Service Catalogue A structured document with information about all IT services
delivered.
SLAs may need to be supported by agreements with suppliers external to the service provider's
organization, or with internal groups. These supporting agreements with suppliers can be known as
underpinning contracts. Supporting agreements with internal groups can be known as operational
level agreements (OLA).
Figure 4.1: Providers, suppliers & agreements (Source: ITeratum based on EXIN materials)
The catalogue should hold information common to all of the services or most of them, in order to
simplify the SLAs. The catalogue of services should include a variety of information, including:
The name, description and targets of the service
Contact points
Service hours, support hours and exceptions
Dependencies between the services
Dependencies between the services and service components
Security arrangements
An SLA is a documented agreement between the service provider and the customer that describes
the service and service targets. An SLA also specifies the responsibilities of the service provider
and the customer. A single SLA may cover multiple services or multiple customers.
SLAs need to be reviewed at regular intervals and all changes made to both services and SLAs will
be under the control of the Change Management process.
Objective: to ensure the production of agreed, timely, reliable, accurate reports to facilitate
informed decision making and effective communication.
The success of all service management processes is dependent on the use of the information
provided in service reports. Reactive and proactive reports should be produced. Reactive reports
show what has happened, after it has happened. Proactive reports give warning of significant
events, thereby enabling preventive action to be taken beforehand. Where there are multiple
suppliers, lead suppliers and sub-contracted suppliers, the reports should reflect the information
related to all their activities.
Term Definition
Service Report Document agreed between the service provider and the
customer that contains specific information for later
evaluation.
Each service report should be clearly described including its identifier, purpose, frequency,
audience, and details of data source. Service reports are intended to verify the customer's
requirements and identify needs. Service reports for customers and the business should include at
least:
Objective: to ensure that agreed service continuity and availability commitments can be met, within
agreed targets.
This process includes both, a focus on prevention of and recovery from service failures or disasters,
as well as ensuring the provision of sufficient service availability to meet service requirements.
Service providers may operate the service continuity and availability management process as two
separate processes that are linked or as a single process, depending on the service provider's
circumstances.
Term Definition
Availability Ability of a service or service component to perform its
required function at an agreed instant or over an agreed
period of time. Availability is normally expressed as a ratio
or percentage of the time that the service or service
component is actually available for use by the customer to
the agreed time that the service should be available.
Availability Plan Document containing the actions, measures, costs,
resources and time planning intended to deliver the agreed
availability levels.
Service Continuity Capability to manage risks and events that could have
serious impact on a service or services in order to
continually deliver services at agreed levels.
Service Continuity Plan Document containing the actions, measures, costs,
resources and time planning aimed at maintaining the
service continuity and, where appropriate, to recover from a
disaster scenario.
Risk Effect of uncertainty on objectives. Risk is often expressed
in terms of a combination of the consequences of an event
and the associated likelihood of occurrence.
The service continuity policy should be focused on supporting business continuity. The policy
should address the roles, activities and responsibilities required to meet the agreed service
requirements.
The policy should take into account agreed service hours and critical business periods. The service
provider should identify the requirements separately for each customer group and service,
including:
The maximum acceptable continuous period of lost service
The maximum acceptable periods of degraded service
The acceptable degraded service levels during a period of service recovery
The service continuity policy should be reviewed at agreed intervals, at least annually. Any
changes to the policy should be formally agreed between the service provider and the customer.
Once the strategy has been defined in the continuity policy is the time to carry out the risk
assessment and management. The risk assessment should include business impact analysis of a
major loss of service. Risk mitigation measures meeting the business requirements and plans
should be agreed with the business.
Access rights (who can have access rights under normal conditions and who can have
access rights following a major loss of service)
Response times (under normal circumstances and also after a major loss of service)
End-to-end availability of services (e.g. for normal service what is the required availability of
components required to deliver a complete service and after a major loss of service what
priority should be given to each service).
Service continuity plans should be based on the requirements defined in the service continuity
policy, a business impact analysis and risk assessments. These plans should be under the control
of the Change Management process, and responsibilities for invoking should be clearly assigned.
Service continuity testing should be undertaken at least annually or after every major business
change. All the relevant parties should be informed about the existence of service continuity plans
and appropriate awareness and training should be provided. The plans should contain the following
information:
The availability plan should identify the business needs and customer requirements, design
requirements, technical specifications and project planning activities required to meet the business
availability requirements both currently and in the future. The availability plan should be reviewed
and revised regularly, at least annually and after any major change.
Service continuity testing should be undertaken after every major business change and change to
the service environment. The scope of service continuity testing should include the return to normal
service operation following a disruption and should involve the joint participation of the customer
and the service provider, based upon an agreed set of objectives.
Review after a service continuity test should be conducted to assess the achievement of the aims
and objectives of the test and to identify any areas of weakness or opportunities for improvement.
Service continuity and availability management should, according to the agreed availability plan:
A regular availability testing schedule should confirm that the availability solutions are achievable
and appropriately resilient. Availability, reliability and resilience mechanisms should be reviewed
and tested after any major change.
Objective: to support the service provider's understanding of and ability to manage the total cost of
services.
The budgeting and accounting process should control the financial aspects of services and service
components, and provide information that supports both the live operation of services and the
funding of service changes and improvements.
This process should be performed by the service provider, regardless of whether other aspects of
financial management are performed elsewhere in the organization, and should be aligned with and
receive information from the financial processes of the service provider's organization.
Term Definition
Budgeting Prediction of future funding requirements for the agreed
delivery of services.
Accounting Tracing of the service provider regarding funding usage.
Charging Billing to customers for services provided.
The service provider should have a documented policy and procedures for the financial
management of services. The policy should include the cost types used in the budget for cost
allocation and an explanation of how overhead costs are apportioned. Criteria should be defined to
allow for a budget and accounting analysis for each service.
The resources provided for the budgeting and accounting for services process should be based on
the needs of the customer, service provider, suppliers and other interested parties for financial
detail, as defined in the policy.
The service provider should select categories for cost entries in the budget that are useful for
service management. For example, service providers should define cost models in line with
services and their components, as defined in the catalogue of services. Those categories should be
easily measurable (e.g. hardware, software, maintenance, personnel). The service provider should
also consider cost types such as:
Apportionment of overhead costs may be based on a variety of mechanisms, such as a flat rate
cost, a fixed percentage, or based on the size of an agreed variable element of delivered services.
Forecast of costs and revenue for budgeting should take into account the planned changes to
services during the budget period. Budgeting and cost tracking should support planning to operate
and improve the services so that service levels can be maintained throughout the year.
4.4.6 Accounting
Accounting activities should be used to track costs to an agreed level of detail over an agreed
period of time.
Accounting reports should provide sufficient information to calculate the costs of low service levels
or costs resulting from a loss of service. To calculate these costs, the service provider should have
a clear understanding of costs of resources required to deliver the service (personnel, components,
facilities, and any aspects of the service delivered by other parties).
4.4.7 Charging
Charging is not included in ISO/IEC 20000-1 but it is recommended that where charging is in use,
the charging mechanism is defined and understood by all parties.
Objective: to ensure that sufficient capacity is provided to meet the current agreed capacity and
performance requirements.
The capacity management process should develop plans to ensure that capacity requirements can
be agreed on, forecast and met.
Term Definition
Capacity Maximum performance that can be obtained from a
component or IT service. For certain types of components,
the capacity may be the size or the volume, for example in
the case of a disk drive.
Capacity Plan Document which sets out the actions, measures, costs,
resources and time planning designed to deliver the agreed
capacity levels, both present and future.
Assess, document and agree the capacity requirements for new or changed services
Being involved in the design of new or changing services and make recommendations for the
procurement of components and resources
Set, monitor and use capacity thresholds, warnings and alarms to automatically manage and
improve the utilization of components and the performance of services
Maintain data and information used by the capacity management process
Producing capacity and performance reports, which provide valuable information to many
service management processes
Forecasting of future component and service capacity and performance
The capacity plan should document the actual performance, the expected business capacity needs
and the service requirements. It should be produced at least annually. The capacity plan should
include:
Objective: to ensure that security controls are in place to protect information assets and that
information security requirements are incorporated into the design and transition of new or
changed services.
Term Definition
Information Security Policy Policy governing the vision of the organization on the
management of information security.
Risk Effect of uncertainty on objectives. Risk is often expressed
in terms of a combination of the consequences of an event
and the associated likelihood of occurrence.
Confidentiality Security principle that requires that only authorized
personnel have access to a particular set of data.
Integrity Security principle certifying that the data and configuration
items are changed only by authorized personnel and
activities to ensure accuracy of data.
Availability Security principle that ensures the information is available to
authorized users whenever they require access to it.
Service requirements, statutory and regulatory requirements and contractual obligations should
provide the basis of an information security policy. The policy should give direction on the use of
physical, administrative and technical information security controls and should be approved by
managers accountable for the SMS and the services.
Management should ensure that personnel, customers and suppliers and internal groups have both
adequate understanding of the contents of the policy and an appreciation for the importance of
adhering to it.
Management should also ensure that the information security policy is used as part of risk
assessments and during information security audits. The policy should provide guidance on the
criteria for accepting risks and the approach for managing identified information security risks.
Internal information security audits should be conducted at regular intervals and their results
reviewed to identify opportunities for improvement of information security.
Personnel with specialist information security roles can find it helpful to become familiar with the
ISO/IEC 27000 standards, which include guidance and advice for Information Security
Management Systems.
The information security controls are designed to safeguard security of information assets through
the confidentiality, integrity and availability (accessibility). Information security controls can be
physical, administrative or technical.
The service provider should ensure that the controls are documented, describing their related risks
and risk mitigation strategies. The service provider should also define information security controls
to manage external organizations and individuals that need to access, use or manage the
organization’s information or services.
Information security changes and incidents should be processed in accordance with the Change
Management process and the Incident and Service Request management process.
Requests for change (RFC) should be assessed to identify any new or changed information
security risks as a result of the proposed change. The RFC should also be assessed against any
potential impact on existing services, processes, policies or the existing information security
controls.
The service provider should use the results of reviews of information security incident records to
identify potential deficiencies and opportunities for improvement.
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
1. How can an organization determine the effectiveness of the Service Level Management
(SLM) process?
A. By checking contracts with suppliers
B. By defining Service levels
C. By measuring customer satisfaction
D. By reporting on all incidents
2. Where are agreements regarding Service delivery and its relationship to Information security
management recorded?
A. In a Capacity Plan
B. In a Configuration Management Database (CMDB)
C. In a Definitive Software Library (DSL)
D. In a Service Level Agreement (SLA)
3. The Service catalogue for a network company states that LAN authorization requests will be
complete within three weeks. A manager who is a client of the network company does not
believe this is achievable and requests a report demonstrating achievement of the catalogue
statement. Which process is responsible for providing this report?
A. Availability Management
B. Change Management
C. Problem Management
D. Service Level Management (SLM)
5. What is the intent of the Service continuity and availability management processes?
A. To ensure agreed effective communication towards Customers
B. To ensure that agreed levels of service commitments to Customers can be met in all
circumstances
C. To ensure that agreed Service continuity and availability commitments to Customers can be
met within agree targets
D. To ensure that agreed Service continuity and availability commitments to providers can be
met in all circumstances
8. A power failure has knocked out the entire IT infrastructure. Fortunately, a Service Continuity
Plan is available. At what point should the Service Continuity Plan be invoked?
A. Immediately, as the service can no longer be used.
B. When the failure will likely extend beyond the targets defined in the Service Level Agreement
(SLA).
C. When the Incident Manager thinks this is necessary.
D. When the time within which the failure should be solved, has exceeded.
Conceptual Questions:
1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the
parties that establish the agreement?
2. What is the objective of the Service Reporting process?
3. What is availability?
4. What are the three key elements to take into consideration in the Budgeting and Accounting for
Services process?
5. List four characteristics to take into account in the Capacity Plan.
6. What is confidentiality within the Information Security Management process?
7. What is the objective of the Information Security Management process?
Exam Terms
Service level, SLA, OLA, underpinning contract, SLR, service catalogue, service report, availability,
availability plan, continuity, continuity plan, risk, monitoring, testing, budgeting, accounting,
charging, cost types, capacity, capacity plan, information security policy, confidentiality, integrity,
security controls.
After reading Chapter 5, you will be familiar with the relationship processes. This will allow you to
reach the following objectives:
This chapter deals with Section 7 of ISO/IEC 20000:2011. The relationship processes describe the
characteristics of the Supplier Management and Business Relationship Management processes.
The aim of both processes is to ensure that all parties are aware of the business needs and the
capabilities, limitations, responsibilities and obligations that concern them.
Objective: to ensure that mechanisms are established to manage the relationship between the
service provider and the customer(s).
There should be a strong link between the Business Relationship Management (BRM) process and
the Service Level Management (SLM) process. The SLM process should define and use measures
to evaluate service level performance. In contrast, the BRM process should seek to work closely
with the customer to understand future business objectives and direction.
Term Definition
Customer satisfaction Degree of satisfaction with the performance that the
customer perceives regarding the agreed service(s).
Service complaint Formal disagreement with the service delivered. To be a
justified claim, the disagreement should be related to what is
agreed in the Service Level Agreement (SLA).
Escalation Within the context of the Business Relationship
Management process, transfer of a service complaint to a
higher authority, usually within the organization.
5.1.2 Activities
Identify Interested The service provider should identify and document its customers (user
parties groups and/or business units), other interested parties, suppliers and
dependent sub-contracted suppliers, in order to fully understand the
dependencies between services.
Reviews The service provider should hold formal meetings with the customer to
review customer satisfaction, strategic direction and major exceptions to
the performance of the services. The meetings should be scheduled in
advance and held regularly, at least annually. Meetings should be more
frequent when the service provider and the customer are managing a high
rate of change or when there are concerns about the quality of services.
Customer The service provider should establish a formal mechanism for recording
satisfaction survey customer satisfaction. The frequency and scale of any measurement
should be agreed with the customer in advance, and this should include
the sample of users to be surveyed.
Objective: to manage suppliers in order to ensure the provision of seamless, quality services.
Service providers can use suppliers to operate some parts of the processes or services, or to
supply components such as hardware and software. All suppliers should use this process. The
supplier management process can be an adequate supplement for the Service Level Management
process as far as the management of internal groups and customers acting as suppliers are
concerned.
Term Definition
Lead supplier Supplier in charge of any other subcontracted supplier. The
lead supplier should record the names of all subcontracted
suppliers and their responsibilities and relationships, making
this information available to the service provider.
Subcontracted supplier Supplier contracted and managed by the lead supplier,
rather than the service provider.
5.2.2 Activities
The service provider should designate a contact person responsible for the relationship with each
supplier. The contract should include the requirements and service levels required of the supplier.
The service targets agreed on in the supplier’s contract should be articulated to ensure that the
service provider’s SLAs with the customer can be met.
All supplier contracts should contain a review schedule. At least an annual review should be
scheduled. If a contract includes penalties or bonuses, their basis should be clearly stated and
compliance to the requirements and service targets measured and reported upon.
The service provider should, at planned intervals, obtain evidence that the supplier is meeting all
requirements of the contract. All outcomes of meetings, reviews and audits concerning the
subcontracted service should be reviewed to identify opportunities for improvement. Where
changes are required, they should be controlled using the Change Management process.
It should be clear whether the service provider is dealing with all suppliers directly or with lead
suppliers, each taking responsibility for sub-contracted suppliers.
Both the service provider and the supplier should agree on a process for managing disputes, and
this process should be defined within the contract between provider and supplier. An escalation
path should be available for disputes that cannot be resolved through the normal means of
communication. The process should ensure that disputes are recorded, investigated, acted upon
and formally closed.
The contract management process should include provision for contract termination, either at the
expected end or prematurely. It should also allow for the transfer of the service to another
organization at the end of the contract (costs, intellectual property rights, hardware, software
licences and data).
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
3. The relationship processes describe the relationships with the business and with the
suppliers. What do the relationship processes ensure?
A. That business requirements and outcomes are the primary driver in managing the business
and supplier relationship.
B. That the business and suppliers are directly informed of major incidents.
C. That the service levels for all services are consistent in the supply chain.
D. That there is a frequent contact between the suppliers and the business to resolve issues.
Exam Terms
After reading Chapter 6, you will be familiar with the processes that support the organization in their
daily activities. This will allow you to reach the following objectives:
6.1 Understand the resolution processes and their relationships (Incident and service request
management, Problem management)
You will be able to:
6.1.1 Describe the objectives and quality requirements
6.1.2 Describe the activities and practical application for each process
Objective: to manage incidents and service requests consistently to ensure that incident resolution
or request fulfillment is achieved within agreed service targets and time frames.
Data collected as part of the incident and service request process should be used to monitor
performance against relevant service targets and can be included in service reports to the
customer.
Term Definition
Incident An incident is considered to be an unplanned interruption to
a service, a reduction in the quality of a service or a failure
of a configuration item that has not yet impacted a service.
Service Request Request for information, request for guidance, request for
access to standard services or pre-approved changes.
Priority Relative importance of an incident, problem or change.
Priority is based on impact (effect of an incident, problem or
change on business processes) and urgency (how long it
will be until an incident, problem or change has a significant
impact on the business).
Escalation Within the context of the Incident and Service Request
Management process, transfer of an incident or service
request to a higher technical (functional) or hierarchical level
for resolution.
The incident and service request management process should be supported by two separate
documented procedures. The first is for the management of incidents, the second for the
management of service requests. The two procedures should define the following:
Recording Mechanisms for recording incidents and service requests, ensuring proper
use, storage and retrieval of data.
Classification and All incidents and service requests should be classified so they can be acted
Priority upon in line with their priority and service target commitment. Classification
should include determining which CIs are impacted, which in turn should help
identify the personnel who may need to be involved in resolution or fulfillment.
The priority should be agreed with the customer upon receipt of the incident or
service request, or as soon as possible afterwards. The determination of the
priority should be based on an assessment of the impact and urgency of the
incident or service request in question.
Escalation Rules for escalations, including triggers (events that cause the escalation),
functional or hierarchical types and authority to invoke.
Resolution Detailed definition of the activities to be carried out to resolve the incident or
service request, including access to necessary information (configuration
management database, known errors database, service catalog and other
relevant documents and records).
Closure Definition of the actions required to close an incident or service request record
on the user confirmation that the incident has been resolved or the service
request fulfilled.
Throughout the whole process, appropriate communication channels with customers and users
should be established in order to inform on the status of their requests or incidents.
The incident and service request management process should include a documented procedure
specifically for the handling of major incidents. A major incident generally imposes higher impact
and special attention is required to resolve it. The major incident procedure should define:
Objective: to identify the unknown, underlying root causes of incidents and proposing permanent
resolutions through the change management process, as well as proactively prevent incidents
from occurring through trend analysis and recommendations of preventative actions.
Term Definition
Problem Root cause (origin) of one or more incidents. The cause is
not usually known at the time a problem record is created,
and the problem management process is responsible for
further investigation.
Workaround Temporary action carried out for reducing or eliminating the
impact of an incident or problem for which a full resolution is
not yet available.
Known Error Problem that has an identified root cause or a workaround
available.
6.2.2 Activities
The problem management process should include procedures for the activities listed below:
Classification and Problems are categorized making use of the same classification criteria that
Priority are used in the incident and service request management process. Each
problem is given a priority for resolution according to its urgency and the
impact of related incidents. Based on this information, time and resources for
investigating the problem are allocated.
Investigation and At this point, the necessary steps are taken in order to investigate and
Diagnosis diagnose the root cause and identify a resolution. While the resolution is
achieved, the Problem Management process supports Incident Management
and Service Requests identifying workarounds. Problem diagnosis is
complete when the root cause is identified and a method of resolving the
problem is identified.
Escalation Setting rules for escalation, defining authorities, responsibilities and escalation
points.
Documenting When the root cause and a proposed method of resolving the problem are
Known Errors identified, a known error is recorded in the known error database, together
with details of any temporary fix. This record is not closed until after the
permanent solution has been successfully implemented via the change
management process. Known errors are reported to the Incident and Service
Request Management process so they can make use of the information about
them.
Problem record Once the problem has been mitigated or eliminated by appropriate resolution,
closure the problem record is closed.
After every major problem a review should be conducted to examine what was done correctly, what
was done wrong, what can be improved in the future and how to prevent similar situations.
As we have seen in previous sections, both processes are closely related but should be kept
separately because of their characteristics:
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
1. When a service outage or other failure is reported, in what order will the processes be
executed?
A. Configuration Management, Incident Management, Change Management, Release
Management
B. Incident Management, Change Management, Problem Management, Release Management
C. Incident Management, Problem Management, Change Management, Release Management
D. Problem Management, Configuration Management, Release Management, Change
Management
Exam Terms
Incident, service request, priority, urgency, impact, escalation, major incident, problem, known error,
workaround, major problem.
After reading Chapter 7, you will be familiar with the processes responsible for controlling the
changes that occur in the processes and elements involved in the management of services. This
will allow you to reach the following objectives:
Configuration Management establishes and maintains the integrity of information about services,
service components and CIs across the service lifecycle. The configuration management process
should also identify, manage and verify the information about relationships between CIs, as well as
the relationships between CIs and the services they support.
According to the standard ISO/IEC 20000:2011, the scope of the configuration management
process should exclude financial asset management but include an interface to the financial asset
management process.
Term Definition
CI CI stands for Configuration Item. A CI is an element that
needs to be controlled in order to deliver a service or
services.
7.1.2 Concepts
Configuration management should document the definition of each type of CI and identify each CI
according to the configuration management policy and procedures. Configuration information is
recorded in a CMDB that includes data on configuration items, versions, relationships, baselines
and releases. The information for each CI should include:
Identifier
Description
Status
Location
Relationships and associated records (RFCs, incident, problem and known error records)
Configuration information should be maintained by approved individuals and made available only to
approved interested parties.
There are several elements that can be considered CIs. CI types should include:
Services as listed in the catalogue of services and their related information and documents
(SLAs, agreements, contracts, service requirements, specifications of service design)
Service components, including hardware, software and licenses, tools, applications,
documentation, supporting services
Configuration audit activities should be performed both at planned intervals and in response to
specific events. Adequate procedures and resources should be in place to:
Verify that the service provider is in control of the information about all CIs and their
relationships within the scope of the process
Verify that the service provider is in control of information about the location and quantity of
software licenses
Provide confidence that configuration information is accurate, controlled and visible to
approved personnel
Identify the cause of any discrepancies between the actual and expected configuration
information and resolve in coordination with the change management process
Ensure that a configuration baseline is done at regular intervals and at least prior to the
deployment of a release into the live environment
Ensure confidentiality and accessibility of the information in the CMDB
Objective: to manage changes through their lifecycle, ensuring all changes are assessed,
approved, implemented and reviewed in a controlled manner.
Term Definition
RFC RFC stands for Request For Change. An RFC is a proposal
for a change to be made to a service, service component or
the service management system. A change to a service
includes the provision of a new service or the removal of a
service which is no longer required.
Change Schedule A document that lists all authorized changes and their
planned implementation dates.
Standard Change A pre-authorized change that is low risk, relatively common
and follows a procedure.
Emergency Change A change that must be introduced as soon as possible, for
example, to resolve a major incident.
Normal Change A change that is not an emergency change or a standard
change. Normal changes can be categorized as major,
significant and minor, depending on the level of cost and
risk involved. This categorization can be used to identify an
appropriate change authority (role).
A change management policy should be established and documented that defines the CIs under
the control of the change management process. The change management policy should define
criteria for determining which changes should be managed through the change management
process and which changes should be managed through the design and transition of new or
changed services process. The criteria used to determine changes to be managed through the
design and transition of new or changed services process should include changes for the removal
of a service and changes for the transfer of a service from the service provider to another party.
The other party can be the customer or a supplier.
Recorded RFCs should be analysed at planned intervals to identify increasing levels of changes,
frequently recurring types, emerging trends and other relevant information. The results and
conclusions drawn from the analysis of changes should be recorded and used to identify
opportunities for improvement.
Once the change has been deployed and accepted, a Post-Implementation Review (PIR) is
performed to verify that change was successful and that there were no problems. In this case, the
request for change should be closed. The request for change can also be closed when a decision
of not carrying out the change has been made. When the request for change has been closed the
result of the change should be reported to the initiator of the request for change and other
interested parties.
For emergency changes there should be a defined process, and these changes should be
differentiated from other changes, due to the increased risk and often increased cost of approving
and implementing them. Emergency changes may be used to resolve emergency situations where
there is insufficient time to adhere to normal change process procedures, time lines and approval
authorities. Due to the urgency of implementing an emergency change, some details may be
documented retrospectively and some testing may not be possible. Even in that case, there should
be a plan to reverse or remedy the emergency change if it is unsuccessful.
Objective: to ensure that all releases are effectively deployed into the live environment so that the
integrity of hardware, software and service components is maintained.
Term Definition
Release Collection of one or more new or changed configuration
items which are tested and then deployed jointly into the live
environment as a result of one or more changes.
Release Policy Policy governing the vision of the organization about release
and deployment management.
Emergency release Type of release carried out to implement emergency
changes. The procedure for this type of release must be
closely related to the process for emergency changes.
Acceptance Criteria Conditions set to validate a release before being deployed
into the live environment.
The service provider, together with the customer and interested parties, should develop and agree
on a release policy to help specify the frequency of releases and approach for each type of release.
A release policy can typically include:
Definition of each type of release (emergency, major, significant, minor)
The frequency of each type of release
Definition of key roles and responsibilities
Authority levels for release acceptance and deployment approvals
Rules on verification and acceptance of releases
Build and packaging of releases
Release and deployment approach for each type of release including automated
deployment methods and tools where applicable
A predefined and consistent testing approach
The release and deployment planning should be developed with the customer and interested
parties. Project management methods and techniques should be used to support release and
deployment planning. These plans should always ensure that all changes are coordinated with the
change management process and should include an assessment of the impact of the release,
associated risks and the identification of any mitigation measures that would be employed to
minimize any unacceptable risks. Release and deployment plans should include the following
components:
Scope and content of the release
Services and service components to transfer, decommission or retire including licences
Timetable for the deployment of the release with dates determined in consultation with the
customer for each nominated site
Roles and responsibilities for planning, coordinating, building, testing, deploying and
reviewing the release
Procedures and methods that ensure the integrity of software, hardware and other service
components during deployment
Test plans, including acceptance criteria
The criteria that the release and deployment should be verified against, along with any
appropriate criteria to be used for reversing or remediation of failed releases
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample questions
2. Which question cannot be answered directly from the configuration management database
(CMDB)?
A. What incidents or problems are related to this workstation?
B. Which Configuration Items (CIs) does a specific service consist of?
C. Which members of staff of department X have moved to department Y?
D. Which Requests for Change (RFCs) have been submitted for a specific server?
5. Which process is responsible for recording the logical and physical relationships between the
various components of the IT infrastructure?
A. Availability management
B. Configuration management
C. Release management
D. Incident management
6. When implementing a new version of an application both Change management and Release
management are involved. What is the responsibility of the Change management process
here?
A. Change management has the implementation and installation task in this phase.
B. Change management plays a coordinating role in this phase.
C. Change management must check whether the new application functions properly.
D. Change Management draws up the Request for change (RFC) in this phase.
7. New or changed services need to be accepted before being implemented into the live
environment. What shall be done after a new or changed service has been implemented?
A. A Post implementation review (PIR) is held comparing actual outcomes against those
planned.
B. An approach needs to be defined for interfacing to projects that are creating or modifying
services.
C. Nothing additional. The new or changed service goes into Business As Usual and will be
managed as a normal service.
D. The manner in which the Change shall be reversed or remedied, if unsuccessful, needs to be
defined.
9. One of the activities required for effective planning, coordination and evaluation of requested
changes is assessing the impact and required resources. Which process or function is
responsible for this activity?
A. Change management
B. Configuration management
C. Release management
D. Service desk
10. In Change management, a number of activities take place between the acceptance of a
Request for Change (RFC) and the completion of the Change. Which activity is performed
first after acceptance of an RFC?
A. Building and testing the Change
B. Determining the urgency of the Change
C. Implementing the Change
D. Scheduling the Change
11. What must be included in the Release and Deployment Management procedures according
to ISO/IEC 20000?
A. The authorization and implementation of Emergency changes
B. The investigation and prevention of Information security incidents
C. The recording of all reported Incidents
D. Procedures to reverse an unsuccessful deployment
1. What is a CI?
2. Describe three types of CI
3. What is a Standard Change?
4. Give an example of a change that should be managed through the design and transition of new
or changed services process.
5. Which is the object of Release and Deployment Management?
6. What are the acceptance criteria within Release and Deployment Management?
7. The procedure for emergency releases must be closely related to a procedure of another
process. Which one?
Exam Terms
CI, CMDB, configuration baseline, RFC, schedule of change, normal change, emergency change,
standard change, release, release types, emergency release, acceptance criteria.
This chapter contains the terms with which candidates should be familiar. Terms are listed in
alphabetical order. For concepts whose abbreviation and full name are included in the list, both can
be examined separately. Please note that knowledge of these terms alone does not suffice for the
exam; the candidate must understand the concepts and be able to provide examples.
Accountability
Accounting
Alignment
Analysis
Applicability
Assessment
Asset (management)
Attribute
Audit
Availability (management)
Awareness
Best practice
Budgeting
Business continuity (management/plan)
Business Impact Analysis
Business requirements
Capability
Capacity (management)
Certification
Change (management)
Classification
CMMI®
CobiT®
Complaints definition/process
Compliance
Component
Confidentiality
Configuration Baseline
Configuration Item (CI)
Configuration (management)
Configuration Management Database (CMDB)
Michael Kunas
Implementing Service Quality based on ISO/IEC 20000, 3rd Edition
United Kingdom, IT Governance Publishing, 2012
ISBN: 978 1 84928 442 4
e-pdf ISBN 978 1 84928 444 8
Mart Rovers
ISO/IEC 20000-1:2011: A Pocket Guide 2nd Edition
The Netherlands, Van Haren Publishing, 2013
ISBN 978 90 8753 726 5
e-pdf ISBN 978 90 8753 787 6
e-pub ISBN 978 90 8753 9733
ISO/IEC
ISO/IEC 20000-1:2011 Part 1: Service management system requirements
Switzerland, ISO, 2011
ISO/IEC
ISO/IEC 20000-2:2012 Part 2: Guidance on the application of service management systems
Switzerland, ISO, 2012
Throughout this book there have been references to different organizations. Following are a
number of links to their corporate websites:
AXELOS http://www.axelos.com/officialsite.asp
AXELOS Limited are the current owner http://www.itil-officialsite.com/
of ITIL®.
AXELOS are a new joint venture company, created in 2013
by the Cabinet Office on behalf of Her Majesty's
Government (HMG) in the United Kingdom and Capita plc
to run the Best Management Practice portfolio, including
the ITIL® and PRINCE2® professional standards.
Chapter 1
Sample Questions:
2. A service provider can integrate their Service Management System with a quality
management system or an Information Security Management System to provide the highest
level of service to the customer. Which standard supports the Quality Management System?
A. ISO 9001
B. ISO/IEC 27001
C. COBIT®
D. ITIL®
A. Correct.
B. Incorrect. This standard covers the Information Security Management System.
C. Incorrect. COBIT® covers the IT Governance framework.
D. Incorrect. ITIL® covers the service lifecycle framework for Service management.
4. The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes. What does the
Act phase of this methodology cover?
A. Establishing the objectives and processes necessary to deliver results in accordance with
Customer requirements and the organization's policies
B. Implementation of the processes
C. Monitoring and measuring the services rendered and the Service management system (SMS)
D. Taking the necessary actions to continually improve
A. Incorrect. This action is taken during the Plan phase of the methodology.
B. Incorrect. This action is taken during the Do phase of the methodology.
C. Incorrect. These are the actions taken during the Check phase.
D. Correct. This action is taken during the Act phase of the methodology.
A. Incorrect. ITIL® offers an extensive set of guidance while ISO/IEC 20000-1 provides
requirements.
B. Correct. This is referenced within the scope of the standard.
C. Incorrect. It is the Service Management System that gets certified not the services.
D. Incorrect. It is the Service Management System that gets certified not the products.
A. Correct. The process owner has the authority and responsibility for ensuring that the process, its
interfaces to other processes and integration within the SMS are documented, adhered to,
measured and improved.
B. Incorrect. Operating the process is the responsibility of the process manager.
C. Incorrect. Process reporting the responsibility of the process manager.
D. Incorrect. Setting up the process is the responsibility of the process manager under the
guidance of the process owner.
Conceptual questions:
7. What is COBIT®?
A worldwide accepted reference framework for the IT Governance based on the standards
and best practices of the industry.
8. Which are the five steps in DMAIC methodology used in Six Sigma®? What is it based on?
Define, Measure, Analyze, Improve and Control. It is based on Deming’s PDCA cycle.
A. Correct. The tools appropriate to the processes should be mentioned in the Service
Management Plan.
B. Incorrect. The interfaces between the business processes should not be included in the Service
Management Plan.
C. Incorrect. Procedures are part of the processes and do not have to be included in the Service
Management Plan.
D. Incorrect. Procedures are part of processes and do not have to be included in the Service
Management Plan.
A. Incorrect. Processes and procedures should support the service management objectives.
B. Incorrect. Service issues are a part of day to day life; processes and procedures will help to
prevent and minimize their impact.
C. Correct. A predictable approach is required.
D. Incorrect. Touch points with suppliers are needed to demonstrate end to end quality control.
5. What should be recorded as a baseline prior to implementing a plan for service improvement?
A. Backlog of changes for the service
B. Number of staff involved
C. Service or component configurations
D. Time taken to operate the process
A. Incorrect. This may be one of the measures if backlog of changes is to be reduced but there
may be other details too.
B. Incorrect. This may be one of the measures if staff numbers are to be improved but there may
be other details too.
C. Correct. The standard recommends the current configuration of affected components be
captured before implementation so to measure improvement as well as create a fall back point.
D. Incorrect. This may be one of the measures if time taken is to be improved but there may be
other details too.
Conceptual questions:
3. In Resource Management, which are the minimal resources to be considered according to the
ISO/IEC 20000 standard?
Human Resources
Technical Resources
Information
Financial Resources
5. List five elements to be taken into account when designing the Service Management Plan.
The service management objectives
Service requirements
Resources, facilities, budgets
Authority, responsibility and role definition
Tools for process support
6. What kind of audits should be performed in the Monitor and Review stage of the SMS?
Self-assessment, performed by its own department.
Internal audit, performed by an internal department within the organization.
Vendor audit, performed by a supplier.
External audit, performed by an independent, external and qualified organization.
1. In which cases it is especially adequate to apply the Design and Transition of new or changed
services process?
This process should be applied to new or changed services that are either high risk or have a
potentially major impact on services or the customer, or wherever there are interfaces with
tasks or deliverables that fall outside the scope of SMS.
2. Which is the approach that should be used when planning a modification of an existing
service that is vital for the business?
Since it is a vital process for the business, the Section 5 of the ISO/IEC 20000:2011 standard
applies. Regarding to the planning, it should be managed as a project due to the size, risks
and scope of the changes.
1. How can an organization determine the effectiveness of the Service Level Management
(SLM) process?
A. By checking contracts with suppliers
B. By defining Service levels
C. By measuring customer satisfaction
D. By reporting on all incidents
A. Incorrect. Contracts with suppliers are part of the SLM process but you cannot determine the
effectiveness of the process by checking the contracts.
B. Incorrect. Defining Service levels is important to deliver IT services but they do not provide
information about the effectiveness of the SLM process.
C. Correct. Customer satisfaction is the most important aspect to determine the effectiveness
(ability to achieve desired results) of SLM process.
D. Incorrect. By reporting on all Incidents you can determine the effectiveness of Incident
Management but not the effectiveness of the SLM process.
2. Where are agreements regarding Service delivery and its relationship to Information security
management recorded?
A. In a Capacity Plan
B. In a Configuration Management Database (CMDB)
C. In a Definitive Software Library (DSL)
D. In a Service Level Agreement (SLA)
4. In Continuity management various precautionary measures are taken to ensure Services are
delivered during/after a catastrophe. An example would be having an emergency electrical
power supply. Which process could also initiate this kind of measure?
A. Availability Management
B. Capacity Management
C. Change Management
D. Incident Management
A. Correct. Availability Management can take certain measures to ensure service delivery under
abnormal conditions. One of them is to initiate an emergency electrical power supply.
B. Incorrect. Capacity Management is strategically responsible for the right capacity at the right
time, not for the availability of emergency electrical power.
C. Incorrect. Change Management is responsible for installing an emergency electrical power
supply as it is a change but Change Management is not responsible for initiating these measures.
D. Incorrect. Incident Management is responsible for solving incidents as soon as possible. Taking
precautionary measures is not a task of Incident Management.
A. Incorrect. Effective communication is not the intent of the process Service Continuity and
Availability Management. It is more relevant to Service Reporting.
B. Incorrect. Managing levels of service is the intent of the Service Level Management process.
C. Correct. This is the intent of the Service Continuity and Availability Management processes.
D. Incorrect. Service Continuity and Availability Management is a process between a supplier and
a Customer, not between a supplier and a provider.
A. Incorrect. The accessibility of data does not mean the data is correct as being meant by the
concept 'Integrity'.
B. Incorrect. The protection of the data is called 'Security'.
C. Incorrect. Not the capacity to verify the correctness of the data but the correctness itself is
called 'Integrity'.
D. Correct. The correctness of the data is called 'Integrity'.
A. Incorrect. Regardless of a formal or informal SLA, IT must deliver services to meet business
goals.
B. Incorrect. Even if services are outsourced, managing service availability is just as critical so to
meet business needs.
C. Incorrect. Just because IT can collect more data, doesn't mean it should get collected nor is it
all valuable. Managing availability requires more than real-time data input.
D. Correct. The relationship between IT and the business is more critical than ever and in order for
the business to maintain its goals, Services must be delivered to meet agreed upon service levels.
A. Incorrect. The Service Continuity Plan will be invoked after a predefined time not immediately
after the Incident takes place.
B. Correct. The Service Continuity Plan will be invoked if the targets as defined in the SLA cannot
be met.
C. Incorrect. The Service Continuity Plan will be invoked after a predefined time not at the call of
the Incident Manager.
D. Incorrect. When the time to repair a failure exceeds the agreed maximum time this is not directly
a reason to invoke the Service Continuity Plan.
A. Incorrect. The IT framework provides a structure for service management but would not define
the service itself.
B. Incorrect. The Service Catalogue shows all the possible services a provider can offer.
C. Correct. The SLA would define the service for the customer.
D. Incorrect. The Service Report would provide details of service performance not define the
service.
A. Incorrect. Availability Management will provide information for the review. Service Level
Management will review service performance (achievement of SLA targets) with the customer.
B. Incorrect. Service Reporting will create the service report that may be given to the customer.
Service Level Management will review service performance (achievement of SLA targets) with the
customer.
C. Correct. Service Level Management will review service performance (achievement of SLA
targets) with the customer.
D. Incorrect. Budgeting and Accounting for Services will provide service cost information for each
service, customer or location. This information will be presented to the customer typically by
Service Level Management. Service Level Management will review service performance
(achievement of SLA targets) with the customer.
Conceptual questions:
1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the
parties that establish the agreement?
An SLA is an agreement between the customer and the service provider.
An OLA is an agreement between an internal group of the organization and the service
provider.
An underpinning contract exists between the service provider and an external supplier.
4. What are the three key elements to take into consideration in the Budgeting and Accounting
for Services process?
Budgeting, Accounting and Charging, although the latter is not obligatory according to the
ISO/IEC 20000-1 standard.
1. What is a responsibility of the Service provider with regard to Supplier Management as defined in
ISO/IEC 20000-1?
A. To ensure that a process exists for the procurement of suppliers
B. To ensure that contracts with suppliers are aligned with SLAs of the business
C. To ensure that subcontracted suppliers meet contractual requirements in all circumstances
D. To ensure that supplier processes and procedures are defined
A. Incorrect. Selection and procurement are outside the scope of the standard.
B. Correct. A focus on end-to-end Service Management is essential.
C. Incorrect. This is the responsibility of the Lead Suppliers.
D. Incorrect. The Service provider does not define the supplier processes and procedures.
A. Correct. All supplier contracts should support and align with the SLAs between the service provider
and customer.
B. Incorrect. Just as the supplier contract supports the SLA, so should the OLA
C. Incorrect. The Service Management plan structures the planning and deployment of the service
management system, thus guiding the activities of IT organization. It will not directly support a supplier
contract.
D. Incorrect. A service cost model would include the cost of supplier services. The contract directly
supports the SLA which will drive the cost model based on requirements.
A. Correct. The Relationship processes cover Supplier management and Business relationship
management, and together they should ensure that the business needs of the Customer are
understood and remain the driver for all actions.
B. Incorrect. Dealing with major incidents should include communication across all areas involved,
including top management as well as the customers affected. However, this is managed within the
Incident and Service Request Management process and is the responsibility of the designated
individual responsible managing major incidents. It is therefore outside of the scope of the
relationship processes.
C. Incorrect. It is not necessary for the services levels to be consistent across all suppliers, and in
fact it is unlikely that this will be the case. It is however necessary that supplier service levels are
aligned with those of the business, so that the Service level agreements (SLAs) agreed with the
customer can be met.
D. Incorrect. The business should not have direct contact with the suppliers. The service provider
is responsible for managing the suppliers to ensure the quality of the services provided to the
business.
1. When a service outage or other failure is reported, in what order will the processes be
executed?
A. Configuration Management, Incident Management, Change Management, Release
Management
B. Incident Management, Change Management, Problem Management, Release Management
C. Incident Management, Problem Management, Change Management, Release Management
D. Problem Management, Configuration Management, Release Management, Change
Management
A. Incorrect. The entry of a service failure will not begin with Configuration management, but will be
formally logged within the Incident management process.
B. Incorrect. Finding root cause via Problem management will typically occur prior to submitting a
Change.
C. Correct. This is the order of the processes.
D. Incorrect. Change management will assess and authorize any Change prior to the
implementation via Release management.
Conceptual questions:
2. List three elements that should be taken into account in a major incident procedure.
What constitutes a major incident
Who has the authority to declare a major incident and how it will be declared
Who should coordinate and control activities and who should be involved
3. What is a workaround?
Temporary action carried out for reducing or eliminating the impact of an incident or problem
for which a full resolution is not yet available.
A. Incorrect. The authorization of the emergency Change is part of the process and there is no
recommendation about who does this.
B. Incorrect. It is not recommended to bypass the whole process although some activities may be
bypassed and covered later.
C. Incorrect. There is a requirement for a separate policy for emergency Changes but not a
recommendation for a separate process.
D. Correct. It is recommended that the Change process should be followed where possible
although any activities bypassed should be undertaken as soon as possible.
2. Which question cannot be answered directly from the configuration management database
(CMDB)?
A. What incidents or problems are related to this workstation?
B. Which Configuration Items (CIs) does a specific service consist of?
C. Which members of staff of department X have moved to department Y?
D. Which Requests for Change (RFCs) have been submitted for a specific server?
A. Incorrect. Incidents and Problems are related to CIs and are registered in the CMDB.
B. Incorrect. Relationships between CIs are registered in the CMDB.
C. Correct. Personnel moves would be tracked by Human Resources and only current office
location information would be directly part of the CMDB.
D. Incorrect. An RFC is registered in the CMDB. When the Change is implemented the CMDB will
be updated.
4. Targets for resolution should be based on priority. When scheduling an authorized change
which will eliminate a known error, what should not be taken into account?
A. The available skills
B. The competing requirements for resources
C. The effort/cost to provide the method of resolution
D. The number of previously reported Incidents for the particular Configuration Item (CI)
6. When implementing a new version of an application both Change management and Release
management are involved. What is the responsibility of the Change management process
here?
A. Change management has the implementation and installation task in this phase.
B. Change management plays a coordinating role in this phase.
C. Change management must check whether the new application functions properly.
D. Change Management draws up the Request for change (RFC) in this phase.
A. Correct. A Release is a collection of one or more new or changed CIs deployed into the live
environment.
B. Incorrect. A Release can also exist of only software or hardware.
C. Incorrect. The size of the Release is not relevant.
D. Incorrect. The impact the Release is not relevant.
A. Correct.
B. Incorrect.
C. Incorrect.
D. Incorrect.
10. In Change management, a number of activities take place between the acceptance of a
Request for Change (RFC) and the completion of the Change. Which activity is performed
first after acceptance of an RFC?
A. Building and testing the Change
B. Determining the urgency of the Change
C. Implementing the Change
D. Scheduling the Change
A. Incorrect. Building and testing the Change will take place after classification has been done. Part
of classification is to determine the urgency.
B. Correct. The first step after the acceptance is to determine the urgency of the Change.
C. Incorrect. Implementing the Change will take place after building, testing and scheduling has
been done.
D. Incorrect. Scheduling the Change will take place after classification has been done. Part of
classification is to determine the urgency.
Conceptual questions:
1. What is a CI?
CI stands for Configuration Item. According to the standard ISO/IEC 20000:2011, a CI is an
element that needs to be controlled in order to deliver an IT service.
6. What are the acceptance criteria within Release and Deployment Management?
Conditions set to validate a release before being deployed into the live environment.
7. The procedure for emergency releases must be closely related to a procedure of another
process. Which one?
The procedure for emergency releases must be closely related to the process for emergency
changes of the Change Management process.