EXIN IT Service Management Foundation Based On ISO - IEC 20000 PDF

Workbook
EXIN IT Service
Management
Foundation based on
ISO/IEC 20000
Edition January 2014
DISCLAIMER:
Although every effort has been taken to compose this publication with the utmost care, the Authors,
Editors and Publisher cannot accept any liability for damage caused by possible errors and/or
incompleteness within this publication. Any mistakes or omissions brought to the attention of the
Publisher will be corrected in subsequent editions. All rights reserved.
COPYRIGHT
©2014 All rights reserved. No part of this publication may be published, reproduced, copied or
stored in a data processing system or circulated in any form by print, photo print, microfilm or any
other means without written permission by EXIN.
Trade Mark Acknowledgement Statements

ITIL® Is a registered trademark of AXELOS Limited.
CobiT™ is a registered trademark of the Information Systems Audit and Control Association
(ISACA)/IT Governance Institute (ITGI).
CMMI® is a registered trademark of Carnegie Mellon University.
Six Sigma® is a registered trademark and service mark of Motorola, Inc.
Workbook EXIN ITSM based on ISO/IEC 20000

2
Colophon
Title: EXIN IT Service Management Foundation based on ISO/IEC 20000 –

Workbook
Author: Victoriano Gómez Garrido (ITeratum)
Review: María de la Vega González (Independent Consultant) Carlos Durán Muñoz

(Independent Consultant), Ricardo Santiago Cachero (EXIN)
Editor: Victoriano Gómez Garrido (ITeratum)
A publication of: ITeratum, S.L. and EXIN
ISBN: 978 90 8753 762 3
Edition: 2014

3
Prologue
Since its emergence in 2005, the international standard ISO/IEC 20000 has certainly become a
compulsory reference for professionals and companies related to IT Service Management (ITSM).
So much so that a great number of private companies and public institutions, such as the US
Department of Defense has adopted this standard.
EXIN, world leader in the field of Information Management for the certification of professionals, was
a pioneer in developing a qualification scheme for people based on ISO/IEC 20000, providing the
professional not only with the knowledge of the first part of the standard (the requirements), but
also with the experience of all our expert contributors in traditional frameworks of IT Service
Management best practice, making the ITSM scheme based on ISO/IEC 20000 the appropriate
scheme for organizations and professionals that want to get the most out of the standard, without
obsessing about the requirements to fulfill.
As IT professionals, we are obliged to be in a continuous process of learning and adaptation to new

technologies and trends, and it is certainly necessary to know the ISO/IEC 20000 standard, even if
you are on the “customer side” or on the “supplier side”. Both sides must understand each other
and speak the same language, in the context in which “services” have an increasing
preponderance.
The aim of this workbook is to be a helpful support for students of ITSM Foundation based on
ISO/IEC 20000. Although the book itself could serve to prepare for the certification of the exam
based on ITSM Foundation of ISO/IEC 20000, it is highly recommended, as far as possible, to
attend official training that any accredited EXIN partner may offer in a large number of countries.
Furthermore, sharing experiences with colleagues and trainers will certainly enrich the reading of
this text.
Ricardo Santiago
Area Manager of Spain, Portugal and Latin America
EXIN

4
Table of contents
Colophon 2
Prologue 4
Table of contents 5
Introduction 7
1 Introduction to IT Service Management 10
1.1 The importance of quality in IT services 10
1.2 Basic concepts of quality frameworks 23
Exam Preparation: chapter 1 38
2 The Service Management System (SMS) 42
2.1 What is a Service Management System (SMS)? 42
2.2 SMS general requirements 44
2.3 Establish and improve the SMS 50
3 Service Design and Transition 59
3.1 Basic concepts of Service Design and Transition 59
4 The service delivery processes and their relationships 64
4.1 Service Level Management 64
4.2 Service Reporting 67
4.3 Service Continuity and Availability Management 68
4.4 Budgeting and Accounting for Services 72
4.5 Capacity Management 75
4.6 Information Security Management 77
5 The relationship processes and their relationships 85
5.1 Business Relationship Management 85
5.2 Supplier Management 88
6 The resolution processes and their relationships 94
6.1 Incident and Service Request Management 94
6.2 Problem Management 97

5
7 The control processes and their relationships 103
7.1 Configuration Management 103
7.2 Change Management 106
7.3 Release and Deployment Management 108
8 List of Basic Concepts 115
Literature 119
Answers 122

6
Introduction
IT Service Management (ITSM) quality is one of the most important requirements to provide
valuable services that add value to the business. The ISO/IEC 20000 standard for the IT Service
Management has been able to join together the principles of ISO quality management and the
standard ITSM processes in the market.
Figure 1.1: Processes in ISO/IEC 20000 (Source: ISO/IEC 20000-2)
The purpose of this book is to help in the preparation of EXIN ITSM Foundation based on ISO/IEC
20000 exam, providing an overview of IT Service Management from the perspective of ISO/IEC
20000. It addresses fundamental concepts, such as the quality, the frameworks, the services
provided to the business and the processes that support, control and facilitate those services.
The exam consists of 40 multiple-choice questions. Throughout the chapters of this book you will
find examples of these exam questions, along with others focused on the understanding of
concepts that will help fix the ideas, which can be found at the end of each chapter. The exam
specifications are given at the beginning of each chapter, and the weight of each of the topics is
shown as a percentage of the total.

7
Target Audience
The book is aimed at those who wish to prepare for the exam to obtain EXIN ITSM Foundation
based on ISO/IEC 20000 Certification, those interested in IT Service Management or those who
play a role in this field. This includes staff from internal and external service providers, their
customers and their managers.

8
Introduction to IT Service Management:
Exam specifications (15%)
After reading chapter 1, you will be able to understand the basic concepts in which IT Management
is based on and the standards and frameworks related to it. Thereby you will then achieve the
following objectives:
1.1 Understand the core concepts to IT Service Management (10%)

You will be able to:
1.1.1 Describe what quality is and why it is important
1.1.2 Describe what an IT service is
1.1.3 Describe the factors needed to provide an IT service
1.1.4 Describe the benefits and characteristics of a process-based approach
1.1.5 Describe the concept of IT service management
1.1.6 Describe the benefits and risks of IT service management
1.1.7 Describe the role of tools used within IT service management
1.1.8 Describe the principles of continual improvement and the applications of the PDCA cycle
1.2 Understand the core concepts surrounding quality frameworks (5%)

1.2.1 Identify the purpose and benefits of ISO/IEC 20000
1.2.2 Identify the purpose and application/audience of ISO 9001, ISO/IEC 27000 family, ITIL®,
COBIT®, Six Sigma®, CMMI® for Services, GreenIT, Cloud, TMap NEXT®
1.2.3 Describe the complementary nature of the quality frameworks

9
1 Introduction to IT Service Management
1.1 The importance of quality in IT services
The concept of quality is commonly used in our language. We talk about “good quality” or “bad
quality” when referring to a product or a service acquired, to express if we are satisfied with it or not.
But, what makes the quality be “good” or “bad”? Regarding to what are we comparing this service
or product for making this assessment?
1.1.1 What is quality?
To avoid misunderstandings we should define first what quality is. The ISO 9001 standard, which
defines how a quality management system should be (and in which the ISO/IEC 20000 standard is
based on), says that:
We can talk about quality when the customer obtains every single characteristic expected from a
product or service.
The customer has the last word on whether the service or product acquired fulfills his or hers
expectations. Therefore, any product or service that meets the customer requirements, in the terms
previously agreed, is a quality product or a quality service.
Figure 1.2: The quality concept (Source: ITeratum)

10
1.1.2 The importance of quality
Quality has not always been a strategic concept on business. At the beginning of XX century,
quality on production chains was restricted to the inspection of the final product, before customer
delivery. This prevented the delivery of wrong products, but neither products nor processes were
improved, what implied and additional cost for the customer, meaning that quality was expensive.
This was a valid method while the demand was higher than the offer. However, when the situation
turned around, the customer expectations increased not only in quality terms but also in the product
cost. As a result, quality wasn’t limited to the final product anymore, as it extended to the complete
manufacturing process (“…it has to be well done from the very first time…”)
During the 80´s, quality became a strategic element in business, a differentiating factor that could
help position the offer of the company ahead of their competitors. The concept of Total Quality
Management (TQM) appeared. This is a management strategy developed by several American
consultants, W. E. Deming and Joseph Duran among them. Kaoru Ishikawa, a well-known expert in
quality management, defined TQM as "Philosophy, culture, strategy or management style of a
company according to which all persons in the same, study, practice, participate and promote
continuous quality improvement."
In 1987, International Organization for Standardization (ISO) adopted a set of quality standards
known as ISO 9000, which has been developed at any kind of Organization. ISO 9000 certification
guarantees that an organization is ruled by TQM principles.
In 1987 the International

Organization for Standardization
(ISO) adopted a set of quality
standards known as ISO 9000 that
were developed to be applied to
any kind of organization. The ISO
9001 certification ensures that an
organization is governed by the
principles of TQM.
Figure 1.3: The quality evolution (Source: ITeratum)

11
1.1.3 Quality Management
As we saw in the previous section, through the evolution of quality, over time it has grown from a
simple check of a finished product to quality management in which what is sought is customer
satisfaction. Therefore we can say that:
Quality management includes everything the organization does to ensure that its products or
services meet customers’ quality requirements and to comply with all the applicable norms to
those products or services.
In the case of an IT service provider, such as the IT department of an organization, quality

management will be the understanding of what the perspective of the organization is (what we
usually call “the business”) referred to quality and service issues and ensuring that the services
provided are aligned to this perspective.
When the ISO 9000 family of standards (international standard for quality management) was drawn
up, eight basic principles were established to underpin the whole system of quality management.
These principles, according to what is stated in ISO 9001, are as follows:
1. Customer focus An organization depends on its customers, therefore, you need to

understand what their needs are and try to meet them.
2. Leadership Leaders are responsible for guiding the organization, and motivate
and involve the staff in its objectives.
3. Involvement of people It is essential that all staff, whatever their level is, gets involved
putting their skills at the disposal of the organization.
4. Process approach Activities and related resources are much more efficient when they
are managed as a process.
5. System approach to It is important to identify and to manage interrelated processes as

management a system in order to achieve the organization objectives effectively
and efficiently.

12
6. Continual improvement Once the organization has reached a certain level of quality, it
cannot get stuck, because this would mean the loss of its market
position, as well as the loss of its quality level. It is necessary that
the organization has the continual improvement of the overall
performance as a target.
7. Factual approach to Only an analysis of existing data and information enables effective
decision making decision-making.
8. Mutually beneficial The organizations depend on their suppliers in order to meet its
supplier commitments with their customers. Therefore, a mutually
relationships beneficial relationship enhances the ability of both parts to add
value to their work.
Figure 1.4: Quality Management Principles (Source: ITeratum, based on ISO 9001)

13
1.1.4 IT Services
During the last decades, the relationship between IT and the rest of the business has evolved. It
was usually considered that Information Technology used to generate products: computers,
systems, applications, etc. However, at the same time that the quality concept was being reinforced,
the relationship between business and IT was changing and increasingly moving towards a
relationship in which the business demands to IT were not just products but services.
1.1.4.1 What is a Service?
ITIL® gives the following definition of a service that has been adopted by ISO/IEC 20000:2011:
Service is a means of delivering value for the customer by facilitating results the customer wants
to achieve without having to assume ownership and responsibility for the costs and risks involved.
Let's look at a simple example. Let’s suppose one day we decide to eat pizza. One possibility is to
move to a pizzeria, buy the one we like and take it home for dinner. In this case, we are buying a
product.
Another possibility would be to make a call to the pizzeria to order the pizza. In this case, an
operator would receive the order, someone else would elaborate it and a third person would take it
to its vehicle to bring us the pizza home for dinner. We could even make a claim in the event that
the pizza does not arrive in the proper conditions. In this case, we are making use of a service
(home delivery service).
Consequently, we may say that an IT Service is any service provided by the IT organization to the
business. Although information technology uses products for the provision of IT services, nowadays
it is being increasingly accepted that IT activities are within the domain of services.

14
As a result, we can establish some features of the services:
 They are intangible: they have tangible components but they are much more than the
simple combination of these components.
 They are produced and consumed at the same time: they cannot be stored.
 They are highly variable: not only machines are involved in the services, but also people.
 The user gets involved in the service production: it is common that the user has to perform
certain actions so that the service can be used.
 Satisfaction is a subjective concept: products can be valued before purchase, but you
cannot judge a service that has not been received yet.
1.1.4.2 IT Service Components
From a technical point of view, we can say that a service consists of an information system that is
linked with a particular support and that is delivered to the customer with certain quality levels that
have been previously agreed.
Information Systems: An information system is a bundle of elements intended to perform the
management and administration of data used in the business
processes information control or support. Basically it consists of
people, products, processes and associated suppliers.
Support: It is necessary to enable a support to provide

maintenance in order to guarantee that services will be active
and that the performance will be aligned with the specified
requirements.
Quality specifications: Since services have to be provided

according to the customers’ requirements, some quality
Figure 1.5: IT Service Components
(Source: ITeratum) parameters have to be met in the form of capacity, availability,
security and service levels.

15
1.1.4.3 Differences between services provided and quality perceived
One of the main challenges of providing services is to achieve that the quality perceived by
customers and/or users is aligned with their expectations and that this quality is maintained over
time. To this end it is necessary that the service provider fully understands the customer
expectations, has the knowledge to convert them into real services and carries out continuous
monitoring in order to avoid disparities between what the customer expected and his or her
perception of the service received.
Figure 1.6: The quality perception (Source: ITeratum)
To avoid these disparities ("gaps") it is important that both, the customer and the provider, speak
the same language (COBIT®, ITIL®, etc.), that the customer clearly specifies which his or her
expectations are, and the provider adaptability in order to face the common changing situation of
services.
A continuous review and evaluation of services between the customer and the provider will allow
an increasing alignment between what the business demands and what IT provides, as well as an
adjustment in costs more effective and efficient.

16
1.1.5 Process Orientation
To get an organization to work effectively it is necessary to carry out a large number of interrelated
activities. It is important that these activities can be controlled and managed from beginning to end,
so that the organization is able to achieve its objectives. To this end the process-oriented approach
is used. But, what does process mean? ISO 9001:2005 defines it as:
A process is an activity or a group of activities that uses resources and that is managed in order to
get the input elements transformed into outcomes.
To have a process structure clearly described it must be established:
 What has to be done.

 Which are the inputs and the outputs (outcomes).
 How to measure the processes outcomes.
 How other processes are affected by the outcomes of the process.
Usually, the outputs of one or

more processes are the inputs of
other processes. The
implementation of a process
system in the organization, along
with the system management,
aimed to meet the expected
results is called process-oriented
approach.
Figure 1.7: Process components (Source: ITeratum)
The implementation of a process-oriented approach in the organization provides a number of

important benefits, including:
 Improved and predictable results.

 More effective use of resources, resulting in cost savings and shorter life cycles.
 Identification and prioritization of improvement opportunities.

17
1.1.5.1 Process evaluation
As we have seen in the previous section, an important point of process orientation is that it allows
identifying improvement opportunities. However, to find out if we do something in the process that
is likely to be improved, we should be able to perform measurements of what is happening in the
process, that is, we need to be able to evaluate the process.
To this end Critical Success Factors (CSF) and Key Performance Indicators (KPI) are used. A CSF
is something that must happen for a service, process or activity to be successful, while the KPIs are
used to measure the achievement or not of each CSF. CSFs are qualitative while KPIs are
quantitative elements.
For example, a CSF could be "avoiding IT services being affected when changes are made". That
can be measured by KPIs as "reduction percentage of failed changes", "reduction percentage of
incidents due to changes", etc.
1.1.5.2 Processes roles
A role is a set of responsibilities, activities and authority levels defined in a process and assigned
to a person or group of people.
According to ISO/IEC 20000-2, the main roles in the process are:
 Process Owner: responsible for describing the process and its results.
 Process Manager: responsible for the operation of the process, the day-to-day control and
management.
 Process Personnel (teams or professionals): responsible for certain activities.
It is important to highlight that a person or a team may be able to perform multiple roles.

18
1.1.6 IT Service Management
According to ISO/IEC 20000:2011, Service Management is defined as:
Set of capabilities and processes to direct and control the service provider's activities and
resources for the design, transition, delivery and improvement of services to fulfill the service
requirements
Regarding to IT services, the 2011 edition of ITIL® specifies that IT Service Management (ITSM) is
"the implementation and management of IT quality services that meet business needs by service
providers, through a combination of people, processes and technology".
There are basic relationships in ITSM between each of its components: customers, business
processes, IT services and service providers:
 Business processes are supported by IT

services.
 The main activity of an IT provider is the
delivery of IT services.
 IT provider customers are basically
organizations involved in business
processes.
 Users make use of IT services to carry out
day-to-day activities.
 ITSM frameworks describe best
management practices for IT Services.
Figure 1.8: ITSM relationships (Source: EXIN materials)

19
1.1.7 Benefits and Risks of IT Service Management
Implementing IT Service Management in the organization brings a number of important benefits,

but if it is not done in a planned, controlled and supported manner by both, the staff and the
business management, can result in negative situations that should be avoided.
The benefits and potential risks or difficulties of IT Service Management are shown in the following
comparison chart:
Benefits Risks and Difficulties

 Understanding and implementation of  Bureaucratic procedures, more paperwork.
requirements to achieve customer  Less efficiency and effectiveness if:
satisfaction. o Staff is not aware of processes and
 Service delivery driven by the policies and measures.
objectives. o The staff does not accept the system.
 Services designed and delivered following a o The management hardly supports the
defined management system. system without a firm commitment.
 Continuous monitoring, measurement, o An important part of the work is done
review of systems management and service outside the system.
performance. o Processes are not fulfilled.
 Continuous improvement of services and
management system based on objectives
measures.
 Increase in effectiveness and efficiency of
workflows
 Improvement of communications and
knowledge management.
 Decrease in errors that result in failures.
 Risk Management Improvement.

20
1.1.8 The tools in the IT Service Management
To carry out the usual tasks of the IT Service Management it is normal to make use of number of
elements (applications, systems, customized developments, etc.) which facilitates the automation
of processes in our daily work. These elements are those generally known as “tools”.
The use of tools is very important because it allows increasing efficiency, with the subsequent cost
reduction, while providing evidence of the processes carried out. ISO/IEC 20000-1:2011 mentions
tools stating “appropriate tools may be used to enable the service management processes to be
effective and efficient”.
Over the last decades ITSM tools, with different complexity, expensiveness, scoping and functional
features, have arisen in the market. Some of the most typical tools that can be found are:
 Monitoring tools
 Distribution / software discovery / hardware tools
 Integrated sets of tools for Service Management
 Design and control of workflow tools
 Infrastructure remote management tools
In any case, the fact that a company has an ITSM tool does not mean that the Service
Management is implemented by itself, in the same way that the fact of having a piano does not
mean you know how to play it.
We should not make the mistake of confusing the implementation of the Service Management with
the implementation of a provider’s tool, even though it is very powerful and famous. In Service
Management it is necessary to take into account other factors linked to technology: people,
processes and providers/suppliers.

21
1.1.9 Principles of the Continual Improvement and PDCA Cycle applications
When we discussed about Quality, one of the eight principles of the Quality Management was the
continual improvement. To simplify, we can say that continual improvement consists of providing
the necessary means in order to make things increasingly better.
This could seem easy at first, but implies an effort and a significant involvement by all the staff in
the organization, from top management to the lowest level employees, so that gradual
improvement becomes a reality.
William Edwards Deming (1900-1993) was an

American statistician known for his contribution to
the improvement of productivity and the achieving
of higher levels of quality in products and services.
Deming proposed a four-step strategy for continual
improvement, which is known today, in honor of his
name, as the Deming Cycle, or PDCA methodology.
Steps of PDCA methodology ("Plan-Do-Check-

Act") can be briefly described as follows:
Figure 1.9: The Deming Cycle (Source:

ISO/IEC 20000-2)
 Plan: To establish, document and agree on Service Management System (SMS), including
the policies, objectives, plans and processes necessary to design and deliver services
aligned to business needs, customer requirements and service provider's policies.
 Do: To implement and operate the SMS for the design, transition, delivery and
improvement of services, assigning roles and responsibilities.
 Check: To monitor, measure and review the SMS and the services against the plans,
policies, objectives and requirements and to report on the results.
 Act: To take actions to continually improve SMS performance. This includes the service
management processes and the services themselves.

22
1.2 Basic concepts of quality frameworks
1.2.1 The ISO/IEC 20000 standard
The International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) define a specialized system for worldwide standardization. Their technical
committees (JTC Joint Technical Committees) collaborate in areas of mutual interest, being an
example the ISO/IEC JTC 1, which is responsible for the preparation of the ISO/IEC 20000
standard.
ISO/IEC 20000 is an international standard which aims to ensure the provision of managed
services according to an acceptable level of quality for customers negotiated with them.
It was released for the first time on December 15, 2005 (this standard is known as ISO/IEC
20000:2005). It was reviewed later on (all standards must be reviewed every five years) in order to
align with other existing standards, practices and technologies, releasing the ISO/IEC 20000:2011
on April 15, 2011.
The ISO/IEC 20000 promotes the use of the PDCA methodology. It is a process-based standard
that does not consider a life cycle for services. However, stages of Design, Transition, Operation
and Improvement of such services can be identified. This standard consists of several parts:
Part Designation Type Content

Part 1 ISO/IEC 20000-1:2011 IS Service Management System Requirements
Part 2 ISO/IEC 20000-2:2012 IS Guidance on the application of SMS
Part 3 ISO/IEC 20000-3:2009 TR Guidance on scope definition and applicability
Part 4 ISO/IEC 20000-4:2010 TR Process reference model
Part 5 ISO/IEC 20000-5:2010 TR Exemplar implementation plan for ISO/IEC 20000-1
Part 7 ISO/IEC 20000-7 (*) --- Guidance on cloud deployment

23
Part Designation Type Content
Part 8 ISO/IEC 20000-8 (**) --- Service Management processes assessment model
Part 10 ISO/IEC 20000-10 (*) --- Concepts and terminology
Guidance on the relationship between ISO/IEC 20000-
Part 11 ISO/IEC 20000-11 (*) ---
1:2011 and related frameworks
Guidance on the integrated implementation of ISO/IEC
--- ISO/IEC 27013 (***) ---
27001 and ISO/IEC 20000-1
Comments to the chart:

(*) Standards to be published on future dates
(**) Based on the ISO/IEC 15504 standard
(***) Family of standards (ISO/IEC 27000) related to Security Management Information System
(SMIS)
IS: International Standard
TR: Technical Report, Information document that contains information other than the usual
published in a normative document (IS)
As shown in the chart, neither all parties are published nor are in the same evolution state. In this
book, the two parts we will focus on will be Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC
20000-2:2012).
Part 1 considers what the standard calls the “shalls”, that is, “what to do” in an SMS, while Part 2
considers the “shoulds”, or “what should be done”. In other words, while Part 1 provides information
about what is mandatory according to the standard, Part 2 provides recommendations to be
followed.
When an audit mentions breaches or non-conformities with the standard, it is referring to those
points of the SMS that do not adhere to the requirements of ISO/IEC 20000 Part 1.

24
1.2.2 Scope of the ISO/IEC 20000 standard
Depending on the approach with regards to this international standard, different groups may find it
helpful:
 Organizations:
o For any organization seeking services from
service providers and requiring assurance
that their service requirements will be
fulfilled.
o For any organization that requires a
consistent approach by all its service
providers, including those in a supply chain.
Figure 1.9: Scope of the standard (Source:

ITeratum, based on ISO/IEC 20000-2)
 Service Providers:
o For a service provider that intends to demonstrate its capability for the design, transition,
delivery and improvement of services that fulfill service requirements.
o For a service provider to monitor, measure and review its service management processes
and services.
o For a service provider to improve the design, transition and delivery of services through
effective implementation and operation of an SMS.
 Assessors or Auditors:
o For an assessor or auditor as the criteria for a conformity assessment of a service
provider's SMS to the requirements of the standard.

25
1.2.3 Sections in the ISO/IEC 20000 standard
Both, Part 1 (ISO/IEC 20000-1:2011) and Part 2 (ISO/IEC 20000-2:2012) of the standard, are
divided into a number of uniform sections that deal with similar subjects. These sections are:
1. Scope
2. Normative references
3. Terms and definitions
4. Service management system general requirements
4.1. Management responsibility
4.2. Governance of processes operated by other parties
4.3. Documentation management
4.4. Resource management
4.5. Establish and improve the SMS
5. Design and transition of new or changed services
6. Service delivery processes
6.1. Service level management
6.2. Service reporting
6.3. Service continuity and availability management
6.4. Budgeting and accounting for services
6.5. Capacity management
6.6. Information security management
7. Relationship processes
7.1. Business relationship management
7.2. Supplier management
8. Resolution processes
8.1. Incident and service request management
8.2. Problem management
9. Control processes
9.1. Configuration management
9.2. Change management
9.3. Release and deployment management

26
The following chart shows schematically sections 4 to 9 of the standard. Each of these sections will
be discussed in detail from Chapter 2 onward.
Figure 1.10: Sections of the standard & Processes (Source: ISO/IEC 20000-2)

27
1.2.4 Other complementary frameworks related to quality
There are multiple standards, frameworks, best practices and new technologies that have grown to
currently conform the current panorama of Information Technology Service Management. Since
each of them tends to focus on a specific part of ITSM, taken together form a view in which they
complement and reinforce the effectiveness and efficiency that an organization can achieve
through their knowledge and use.
1.2.4.1 ITIL®
ITIL®, the Information Technology Infrastructure

Library, is the set of best practices for IT Service
Management.
Along with ISO 9000, the ITIL® version 2 is

considered the predecessor of the ISO/IEC 20000.
ITIL® has evolved over time and it currently
considers the services from a lifecycle perspective,
beginning with the strategy and going through
design and transition to the service operation. All
this is controlled and supervised by the continual
service improvement. Figure 1.11: The Lifecycle according to ITIL®
(Source: EXIN materials)
In its latest review (2011), ITIL® takes into account 26 processes, many of them closely related to
those considered in the ISO/IEC
20000:2011 standard. Because of this,
it is used by many organizations as
the body of knowledge which
supports the implementation of
ISO/IEC 20000.
Figure 1.12: Standards & best practices (Source: EXIN materials)

28
1.2.4.2 COBIT®
COBIT®, Control Objectives for Information and Related Technologies, is a worldwide accepted
reference framework for the IT Governance based on the standards and best practices of the
industry.
It was created by ISACA in 1996, and then jointly developed with ITGI®, with the objective of being
used in the audit of information systems. Later on it has
evolved into a framework for IT Management. ISACA, the
Information Systems Audit and Control Association, defines
the purpose of COBIT® as "helping IT professionals and
business leaders fulfill their governance and management
responsibilities, particularly in the areas of assurance,
security, risk and control, in order to add value to the
business". ITGI® (IT Governance Institute), is a non-profit,
independent research entity that provides guidance to the
global business community on subjects related to corporate
Figure 1.13: COBIT® 4.1 (Source: ISACA)
governance of IT assets. The ITGI ® was established by
ISACA in 1998.
At the time when this book was published, two versions of COBIT® coexisted: version 4.1, widely
spread and which appeared in 2007; and version 5 recently released (2012). Version 4.1 is
structured in 4 domains or groups of
processes (Plan and Organize, Acquire and
Implement, Deliver and Support and
Monitor and Evaluate). These four domains
altogether encompass 34 processes. For
each of these processes, COBIT®
proposes a number of indicators to monitor
and control targets.
Figure 1.14: Domains in COBIT® 4.1 (Source: ISACA)

29
On April 2012, COBIT® version 5 came out. This version incorporates concepts from other
frameworks and standards such as ITIL®, ISO/IEC 27002, Risk IT (framework for risk assessment
and management) and Val IT (framework for IT business investment government). COBIT® 5 is
based on five key principles:
Figure 1.15: Key Principles in COBIT® 5 (Source: ISACA)
The COBIT® 5 Process Reference Model subdivides the activities and practices of the
Organization related to IT into two main areas, Government and Administration. The Administration
area is also divided into domains of processes:
 The Government Domain contains five government processes, each of them consisting of
practices defined for Evaluate, Direct and Monitor (EDM).
 The four domains of the Administration are aligned with the responsibility areas of Plan,
Build, Run and Monitor (PBRM). These are:
o Align, Plan and Organize
o Build, Acquire and Implement
o Deliver, Service and Support
o Monitor, Evaluate and Assess
COBIT® 5 considers 37 processes, taking into account Government and Administration.

30
1.2.4.3 Six Sigma®
Six Sigma® is a process improvement methodology which aims to reduce defects, where defect is
anything that falls out of customer's specifications. The main objective of Six Sigma® is to reduce
errors to less than 3.4 defects per million executions (regardless of the process in question).
Six Sigma® applies statistical tools to study the processes. That is the reason behind its name:
“sigma” is the standard deviation, which indicates the variability in a process. The efficiency of a
process may be classified according to its level of sigma (DPMO = defects per million events or
opportunities):
 1 sigma= 690.000 DPMO = 31% efficiency

 2 sigma= 308.538 DPMO = 69% efficiency
 3 sigma= 66.807 DPMO = 93,3% efficiency
 4 sigma= 6.210 DPMO = 99,38% efficiency
 5 sigma= 233 DPMO = 99,977% efficiency
 6 sigma= 3,4 DPMO = 99,99966% efficiency
Six Sigma® makes use of DMAIC methodology

(Define, Measure, Analyze, Improve and Control),
based on Deming’s PDCA cycle. DMADV
methodology (Define, Measure, Analyze, Design and
Verify) comes from DMAIC. Whereas DMAIC is a
method of improving already existing processes,
DMADV is applied to the creation of new processes.
Figure 1.16: DMAIC methodology (Source:

ITeratum based on Six Sigma®)

31
1.2.4.4 CMMI®
Capability Maturity Model Integration (CMMI®) is a model to assess the maturity of processes
carried out in an organization, setting a method for gradual improvement.
It was developed in 1986 by the Software Engineering

Institute (SEI) of Carnegie Mellon University in response
to a request from the Department of Defense of the United
States, who wished to have a method to control the
software development capability of their suppliers. This
original model was called SW-CMM (Maturity Model
Software Capability). SW-CMM evolved to CMMI®,
expanding the scope of its framework. Currently, CMMI®
is divided into four areas of processes (24 processes in
Figure 1.17: CMMI framework
total): CMMI® Foundation, with processes common to all
(Source: ITeratum)
of them; CMMI® for Development, for the development of
software applications; CMMI® for Services, for the provision of services; and CMMI® for
Acquisition, for the acquisitions. CMMI® defines five gradual steps in which an organization is
positioned depending on the maturity of their processes:
 The improvement of the processes is

performed continuously.
 Quality and performance quantitative
targets are set and measured.
 All processes are defined, documented
and integrated.
 There are some basic processes
adopted by the organization.
 The processes are chaotic and just a
few are defined.
Figure 1.18: CMMI maturity levels (Source: ITeratum)
Organizations may evaluate their maturity level against CMMI® using the Standard CMMI
Appraisal Method for Process Improvement (SCAMPI).

32
1.2.4.5 ISO 9001
The ISO 9001 standard specifies the requirements to be met by a Quality Management System in
an organization, regardless of the product or service provided and the type of organization in
question.
The ISO 9001 standard has already been mentioned when we talked about Quality Management.
Among its main contributions, the 8 basic principles for the Quality Management stand out:
1. Customer focus
2. Leadership
3. Involvement of people
4. Process approach
5. System approach to management
6. Continual improvement
7. Factual approach to decision making
8. Mutually beneficial supplier relationship
Figure 1.19: Quality Management Principles

(Source: ITeratum, based on ISO 9001)
ISO 9001 describes only general processes: organizational management, resource management,
product or service development, measurement, analysis and improvement. On the other hand,
ISO/IEC 20000, relying on ISO 9001, deepens and focuses on the issues related to Service
Management.

33
1.2.4.6 ISO/IEC 27001
The ISO/IEC 27001 standard specifies which requirements must be met by an Information
Security Management System of (ISMS).
This standard is closely related to ISO/IEC 20000, up to the point that if an organization is certified
in ISO/IEC 27001, wants to become certified on ISO/IEC 20000, and the scope specified for both
standards is the same, ISO/IEC 20000-1 section 6.6 (Security Management Information) is not
required.
ISO/IEC 27000, just as other ISO standards, is based on the PDCA cycle:
Figure 1.20: PDCA in ISO/IEC 27000 (Source: ISO/IEC 27000)
ISO/IEC 27000 is a family of standards, consisting of multiple documents:

 ISO/IEC 27000 – Overview and Terminology
 ISO/IEC 27001 – ISMS Requirements
 ISO/IEC 27002 – Code of Practice
 ISO/IEC 27003 – Implementation
 ISO/IEC 27004 – Measures
 ISO/IEC 27005 – Security Risk Management
 ISO/IEC 27006 – Audit
And the family of standards is still growing (27011, 27031, 27033, 27035…).

34
1.2.4.7 ISO/IEC 38500
The ISO/IEC 38500 is the standard for IT Governance. Its purpose is to promote an acceptable,
effective and efficient use of Information Technology in organizations.
With Corporate Governance we mean the set of directions, policies, processes and regulations by
which the companies are ruled, operated and controlled whatever their sector is. The ISO/IEC
38500 standard refers to "IT Corporate Governance" and not "IT Governance". The reason behind
is that there is not a separate set of rules for Information Technologies, but they have to comply
with the same rules that govern the business.
The IT Corporate Governance should be carried out through three main tasks:
 Evaluate: reviewing and assessing strategies and proposals, taking into consideration the
present and future business needs.
 Direct: define and assign responsibilities for the implementation of plans and policies.
 Monitor: using measurement systems, monitor performance and conformance to external
obligations.
Figure 1.21: Corporate Governance activities (Source: ISO/IEC 38500)

35
1.2.4.8 “New” Technologies
Information Technology Service Management, by its very nature, is highly influenced by the
emergence of new or other technologies that evolve from traditional technologies that are driven by
technical advances.
Joining this to the interest of companies in optimizing their resources cost-efficiently, we find as a
result that a series of "New" Technologies come into play. Those technologies add to frameworks,
standards and best practices to enrich the available possibilities for the IT Services Management.
Among the most successful we find the following:
The Green IT concept refers to the guidelines focused on the

definition, spreading and promotion of energy efficient
Green IT
technology, and the reduction of its environmental impact while
achieving cost savings.
Cloud Technologies refer to the provision and acquisition of IT
services based on the Internet. Its main features are:
 On demand self service
Cloud  Pooling resources (multi-tenancy)
Technologies  Scalability and flexibility
 Pay per use
 Broad access through the network ("anytime, anywhere,
from any device")
Methodology for "Testing" (test planning, preparation and
measurement) based on four key elements:
 Business-driven Test Management (BDTM)
TMap NEXT®
 Structured Test Process
 Tool kit
 Adaptability

36
1.2.5 Complementary nature of the quality frameworks
Although every standard and/or framework previously seen may be used separately and be
sufficient for an organization, none of them provide a comprehensive solution to IT Management.
However, there is neither competition nor exclusion between them. Furthermore, they often have
overlapping areas, thereby becoming complementary elements.
Many organizations make use of a combination of them for a more effective management and
improvement of Information Technologies. Some companies have chosen a combination of ITIL®,
CMMI® and Six Sigma® as the best option, whereas others have preferred the option of ITIL® plus
COBIT® in order to transform their organization. There is no specific formula. Every organization
should choose their formula depending on their own needs and targets. The following table is a
summary of the elements studied and some possible combinations:
Frame / standard Suitable for:

ISO 9001
Quality Management in the organization.
Six Sigma®
ISO/IEC 20000
Information Technologies Service Management improvement.
ITIL®
ISO/IEC 27001 Information Security Management.
CMMI® Assessment of maturity level of IT processes and services.
COBIT® 5
Information Technology Governance.
ISO/IEC 38500
It is remarkable that all these frameworks and standards have a concept in common: the
commitment of people. People make it possible to apply them.

37
Exam Preparation: chapter 1
To help prepare for the exam, we have included multiple choice and conceptual questions (the
answer key can be found at the end of this workbook). Additionally you are provided with an
overview of terms with which you should be familiar.
Sample Questions
1. What is Six Sigma®?

A. It is a quality instrument to measure defects in process outputs.
B. It is a six step maturity model to improve the capability of business processes.
C. It is a standard that was developed for improvement of IT processes.
D. It is a structured, statistically based approach to process improvement.
2. A service provider can integrate their Service Management System with a quality
management system or an Information Security Management System to provide the highest
level of service to the customer. Which standard supports the Quality Management System?
A. ISO 9001
B. ISO/IEC 27001
C. COBIT®
D. ITIL®
3. What is the focus of the Deming Cycle?

A. Continual improvement
B. Customer orientation
C. Designing new services
D. Cost calculation

38
4. The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes. What does the
Act phase of this methodology cover?
A. Establishing the objectives and processes necessary to deliver results in accordance with
Customer requirements and the organization's policies
B. Implementation of the processes
C. Monitoring and measuring the services rendered and the Service management system (SMS)
D. Taking the necessary actions to continually improve
5. Why is it important that reviews are conducted regularly during the Check phase of the Plan-
Do-Check-Act (PDCA) methodology?
A. To be able to allocate roles and responsibilities
B. To be able to define the objectives and requirements that are to be achieved by Service
management
C. To be able to establish the Service management policy, objectives and plans
D. To determine whether the Service management requirements are effectively implemented and
maintained
6. What would be a good reason for organizations to adopt ISO/IEC 20000?

A. To confirm that all of the ITIL® guidelines have been implemented
B. To demonstrate alignment to customer requirements
C. To certify their services
D. To certify their products
7. A process is a set of interacting activities which transforms inputs into outputs. What is the
Process owner responsible for?
A. Describing the process
B. Operating the process
C. Providing process reports
D. Setting up the process

39
Conceptual Questions
1. Which are the three key components of an IT service?

2. According to the ISO 9001:2005 standard, what is a process?
3. What are CSFs and KPIs?
4. Describe the main roles in a process according to the ISO/IEC 20000-2 standard.
5. Which is the objective of the ISO/IEC 20000:2011 standard?
6. What is the main difference between Part 1 and 2 of ISO/IEC 20000:2011?
7. What is COBIT®?
8. Which are the five steps in DMAIC methodology used in Six Sigma®? What is it based on?
Exam Terms
Quality, Quality Management, Service, Customer, Process, Process orientation, ITSM, Roles,
PDCA, Deming Cycle, Framework, IT Governance, Maturity Model, Best practices, International
Standard, Customer Focus, Service Management Tools.

40
The Service Management System (SMS):
After reading chapter 2, you will be able to understand the role of the SMS within the organization.
Thereby you will then achieve the following objectives:
2.1 Understand the management system for service management (10%)

2.1.1 Describe why and which roles are needed
2.1.2 Describe the objective of a service management system
2.1.3 Describe general management responsibilities
2.1.4 Describe general governance principles
2.1.5 Describe importance of documentation and basic requirements for documentation
2.1.6 Describe the requirements for resource management
2.2 Understand the core concepts of the Service Management System (10%)
2.2.1 Describe the objective of planning and improving service management
2.2.2 Describe the continual improvement methodology for service management processes
2.2.3 Describe the key principles of producing and implementing a service management plan
2.2.4 Describe the requirements for monitoring, measuring, reviewing and improving the processes

41
2 The Service Management System (SMS)
2.1 What is a Service Management System (SMS)?
The ISO/IEC 20000:2011 defines an SMS as a management system to direct, monitor and control
the service management activities of the service provider.
The SMS should include what is required for the planning, design, transition, delivery and
improvement of services. At a minimum this includes service management policies, objectives,
plans, processes, process interfaces, documentation and resources. The SMS encompasses all
the processes as an over-arching management system, with the service management processes
as part of the SMS.
Figure 2.1: Elements in a Service Management System (Source: ITeratum)
Coordinated integration and implementation of an SMS provides ongoing control, greater

effectiveness, efficiency and opportunities for continual improvement. When other management
systems are present in the organization (e.g. based on ISO 9001 or ISO/IEC 27001) that share a
PDCA approach, they may be integrated with the SMS, increasing the effectiveness and efficiency
of the final resultant system.

42
In an organization, the SMS is the element which allows controlling every stage related to service
management, from design to continual improvement, based on the customers and other interested
parties requirements.
Figure 2.2: The Service Management System (Source: ISO/IEC 20000)
The service provider is accountable for the SMS. It does not mean that the provider is not allowed
to delegate certain activities to third parties. However, delegating does not imply the provider is
exempt from its liability to the customers to whom he provides services. In this case, the service
provider can demonstrate evidence of fulfilling all the requirements of the ISO/IEC 20000-1
standard, proving he has control (government) over those processes operated by suppliers (third
parties).
In the following chapters we will deepen into each relevant section of the standard, that is, sections
4 to 9.

43
2.2 SMS general requirements
This chapter deals with Section 4 of ISO/IEC 20000:2011.
2.2.1 Top management responsibilities
We have previously seen that quality is a concept that requires the commitment of everyone
working in a company (total quality). This must be clearly shown right from the top of the
hierarchical structure of the organization, which should be an example to be followed by the other
levels.
Top management should be the management who direct, monitor and control the service provider
at the highest level.
Top management responsibilities include:
 Management Top management should ensure that all service lifecycle stages are
commitment delivered to the agreed levels, as defined in the service requirements.
The service lifecycle includes planning, implementation, operation,
monitoring, measurement, review, maintenance and continual
improvement. The service lifecycle also includes transfer of the service to
a customer or a different party or eventual removal of the service.
 Service The service management policy should be specific to the service
management provider's circumstances and have a customer focus. The policy should
policy be based on the agreed scope of the SMS and represent top
management direction and commitment to fulfill service requirements.
 Authority, The service provider should ensure that the authorities and
responsibility and responsibilities for all aspects of the SMS are defined. Top management
communication should be accountable for ensuring that communication procedures are
designed, transitioned, implemented and used.
 Management The management representative should be the member of the service
representative provider’s management team who has the authority to ensure that the
SMS is established, used, improved over time and in alignment with the
changing needs of the business.

44
2.2.2 Governance of processes operated by other parties
According to ISO/IEC 20000-2, the service provider should be able to identify all service
management processes or parts of processes that are operated by other parties, to have an end-
to-end visibility of the performance of the other parties and to be able to demonstrate control of all
of them. This should be supported by all contracts and other documented agreements.
Other parties include:
 Internal groups, who are organizational units inside the same organization as the service
provider, but not within the direct control of the service provider, (e.g. a specialist security
team)
 Customers acting as suppliers (e.g. the customer performing some of the activities of
incident and service request management)
 Suppliers (e.g. outsourcing of the testing done as part of the release and deployment
management process)
The service provider should demonstrate by providing evidence:
 The accountability and authority of the processes that are

operated by other parties.
 That every process in Sections 5 to 9 operated by other
parties delivers the outcomes required.
 The control of the planning of and setting priorities for
improvements to all processes.
The governance of processes operated by other parties is described in detail in the Part 3 of the
standard (ISO/IEC TR 20000-3:2009).

45
2.2.3 Documentation management
Documentation is an essential element within the Service Management System, as well as the
effective management of such documentation. The Section 3 of ISO/IEC 20000:2011-1 defines
document and record as follows:
Document: information and its supporting medium

Record: document stating results achieved or providing evidence of activities performed
The service provider should ensure that evidence is available for any audit of the SMS. Much of the
evidence should exist in the form of documents. Documents may be any type, form or medium
suitable for their purpose (e.g. paper based, electronic files or in a database). The following
documents can be considered as evidence for an audit of the SMS:
 Service Management policies, objectives  Contractual documents (including

and plans requirements and change control)
 Process and procedure documents  Audit planning activities and reports
 A catalogue of services  Change planning activities
 Service documents (designs, specifications,
acceptance criteria)
A good Document Management ensures efficient planning, operation and control of the SMS.
The service provider should understand that an effective procedure is essential for the production
of documents, including records. This includes the use of a naming and numbering system that
aligns with the purpose and revision history of documents. The use of templates and standardized
format can reduce the effort of creating, accessing, updating and using the content.

46
2.2.3.1 Control of documents
Once produced, the documents should be subjected to a control that should include periodic
reviews, at least annual, with updates if necessary. This control can provide visibility of the impacts
of changes (e.g. to a service level agreement).
The service provider should develop a number of procedures with the necessary authority and
responsibility levels for the adequate control of documents. This way, different levels of authority
would be allocated for writing, editing, reviewing, approving, updating, removal and archiving of
documents.
2.2.3.2 Control of records
Records associated with the SMS should be aligned to the requirements of ISO/IEC 20000-1,
statutory and regulatory requirements and contractual obligations (for example, retention of records,
archival and disposal practices).
Records established to provide evidence of conformity to requirements should be controlled. The

service provider should establish a procedure to define the controls needed for the identification,
storage, protection, retrieval, retention and disposition of records. Records should remain legible,
readily identifiable and retrievable.

47
2.2.4 Resource management
2.2.4.1 Provision of resources
Implementing a Service Management System would be impossible without a number of essential

resources. According to the requirements of the Section 4 of ISO/IEC 20000:2011:
The service provider should make available all resources agreed in the plan to establish,
implement, maintain and improve the SMS and the agreed services.
The resources include at least the following:
 Human Resources: people needed to design,

implement and operate the SMS, top
management and personnel involved in the
management of the SMS.
 Technical Resources: infrastructure, tools, regular
work facilities and service continuity facilities.
 Information: customer requirements, customer’s
business needs and business plans, service
management policies, measures and other
reports.
 Financial resources: funds for projects and funds Figure 2.3: Resources in a SMS
for continual operation of the SMS. (Source: ITeratum)
2.2.4.2 Human Resources
Human resources play a key function in IT Service Management. Defining the role in the SMS and
the authority level assigned to each person, should be found within the service provider
commitments.
A very useful tool when performing this task is known as the RACI responsibility matrix. RACI is an
acronym that stands for Responsible, Accountable, Consulted and Informed.

48
Responsible: Someone who actively participates performing a task or activity.
Accountable: Highest responsible. Validates the work done by others.
Consulted: Someone who is consulted to gather information.
Informed: Someone who is informed (reported).
The authorities and responsibilities for each service management process in the SMS should
include:
Role Accountable for:
The design of the process.

Process Owner Ensuring adherence to the process.
The measurement and improvement of the process.
The daily process operation.

Process Manager
The process resources management.
Personnel of the process Perform the procedures of the process.
The competence required for a role should be based on analysis of the specific characteristics and
requirements of that role. This should include but not be limited to: education (certificates), training,
skills and experience. The service provider should be aware of this and, consequently:
 Should maintain the appropriate education, training, skills and experience records.
 Should provide training and development.
 Should control effectiveness of training and certification.
Top management should ensure that personnel are aware of the relevance and importance of their
activities and of how they contribute to the achievement of service management objectives.

49
2.3 Establish and improve the SMS
2.3.1 SMS scope definition
The service provider should establish whether ISO/IEC 20000-1 is applicable to their
circumstances early in the planning stage, as well as define the scope of the SMS. When defining
the scope of the SMS the following parameters should be considered:
 Organizational units providing services

 Services offered
 Geographical location from which the service provider delivers the services
 Customers and their locations
 Technology used to provide the services
For the SMS to be effective, the service provider should continually improve the SMS and the
services using the PDCA methodology. Part 3 of the standard (ISO/IEC TR 20000-3) gives advice
on defining the scope of the SMS and checking the applicability of ISO/IEC 20000-1 to the service
provider’s circumstances.
Figure 2.4: SMS & PDCA Cycle (Source: ITeratum)

50
2.3.2 Plan the SMS (Plan)
The plan for the SMS should cover all aspects of service management and delivery of services. To
this end it is important to design a plan, known as Service Management Plan, which includes but is
not be limited to the aspects given below.
 The service management objectives

 Service requirements, policies, standards, regulatory and
statutory requirements
 Resources, facilities, budgets
 Authority, responsibility and role definition
 Process interfaces
 Risk Management
 Tools for process support
 Measures and reports
2.3.3 Implement and operate the SMS (Do)
The service provider should implement and operate the SMS in alignment with the service
management plan and as a means of achieving the service management objectives. To this end,
the following activities should be carried out:
 SMS implementation
 Budgets allocation
 Assign roles and responsibilities
 Manage and maintain policies, plans and procedures for
each process
 Risk identification and management
 Service management process coordination
 Teams and facilities management
 Monitor and report on services activities
 Tracking of the Service Management Plan

51
2.3.4 Monitor and review the SMS (Check)
The service provider should continuously monitor, measure and review the service management
objectives and plan the necessary activities to ensure they are being achieved.
For this, there should be an Audit Program that takes into

consideration:
 Status and importance of the processes and organizations

being audited.
 Previous audit outcomes.
 Frequency, criteria, scope and methods to be used.
Those responsible for carrying out the audits should be objective

and impartial. A task cannot be audited by the same person who
performs that task.
After conducting audits, the reviews, evaluations, results and corrective actions identified should be
documented. In case of non-compliance, all parties concerned should be informed. Different levels
of assessments and audits can be set:
Self-assessment: A department assesses their own procedures. Necessary, but not very
objective.
Internal audit: Carried out by an internal department within the organization. The
auditor belongs to the same organization but is not involved in the
department being audited.
Vendor audit: Performed by an organization supplier.
External audit: Performed by an independent, external and qualified organization.

52
Figure 2.5: Types of audits (Source: ITeratum)
Top management should review the SMS at planned intervals to check that it continues to enable
the fulfillment of changing business needs and service requirements. The review can be performed
against:
 Performance of the SMS against policies, plans and objectives

 Measurement of process key performance indicators (KPIs)
 The results of internal and external audits
 A review of continual improvement activities aligned with business objectives
 Post implementation reviews of changes
 Industry best practice
 Customer satisfaction survey results
 Desired business outcomes
2.3.5 Maintain and Improve the SMS (Act)
Continual improvement is one of the core concepts of ISO/IEC 20000. The standard states that a
strategically approach should be used, establishing an SMS and services continual improvement
policy. This should include evaluation and prioritization criteria of the improvement opportunities.

53
A documented procedure identifying the authorities and responsibilities for all improvement
activities should be used. This procedure should ensure that opportunities for improvement are
effectively identified, evaluated, prioritized, approved, implemented, managed and measured.
Inputs to manage continual improvement should include:
 Relevant directives from top management

 Root causes identified as a result of audits and reviews,
both of the SMS and of individual services
 Suggestions from the customer and from the service
provider
 Problem records
 Tests of plans (e.g. service continuity tests)
 Optimized resource utilization or risk reduction

54
Sample Questions
1. IT Service Management needs to be planned to establish the objectives, processes and

procedures necessary to deliver results in accordance with the customer requirements and
the organization's policies. What should definitely be included in the Service Management
Plan?
A. The appropriate tools to support the processes
B. The interfaces between business processes
C. The procedure for dealing with emergency releases
D. The service continuity procedures
2. Top management has to provide evidence of its commitment to planning, establishing,

implementing, operating and improving its Service Management System within the context of
the organization's business and customers' requirements. What is the best way that
management can make this visible?
A. By outsourcing Change management
B. By taking disciplinary action against underperforming employees
C. By taking part in the planning of new IT services
D. Through leadership and actions

55
3. Why is it important for service providers to maintain documents and records?
A. To be able to uniquely identify and record all Configuration Items (CIs) in the Configuration
Management Database (CMDB)
B. To ensure effective planning, operation and control of the Service Management System
(SMS)
C. To ensure employees are aware of the relevance and importance of their work activities
D. To meet the requirements (evidence) to become ISO/IEC 20000 compliant
4. Why are processes and procedures required for a service management system?
A. To be able to define service management objectives in a structured manner
B. To ensure that service issues never arise
C. To provide consistency in the output from activities
D. To satisfy the needs of major suppliers
5. What should be recorded as a baseline prior to implementing a plan for service improvement?
A. Backlog of changes for the service
B. Number of staff involved
C. Service or component configurations
D. Time taken to operate the process
6. Personnel should be competent on the basis of appropriate education and experience. What
is a requirement relating to competence?
A. Appropriate records of education, training, skills and experience need to be maintained
B. At least two employees should be suitably trained for each role
C. Employees should have at least a relevant bachelor's degree
D. Personnel should all have a relevant Security training according to ISO/IEC 27002

56
1. When ISO/IEC 20000 refers to "third parties", who are they?

2. What is the difference between document and record?
3. In Resource Management, which are the minimal resources to be considered according to the
ISO/IEC 20000 standard?
4. Which are the main responsibilities of a Process Owner?
5. List five elements to be taken into account when designing the Service Management Plan.
6. What kind of audits should be performed in the Monitor and Review stage of the SMS?
Exam Terms
Service Management System (SMS), Third Party, Service Management Policy, Document, Record,
Resources, Process Owner, Process Manager, Scope of the SMS, Planning the SMS,
Implementing the SMS, Monitoring and Reviewing the SMS, Maintain and Improve the SMS.

57
Service Design and Transition:
After reading chapter 3, you will be able to understand the importance of the Service Design and
Transition process when transferring a service to the real production environment. Thereby, you will
then achieve the following objectives:
3.1 Understand the core concepts for service design and transition (5%)
3.1.1 Describe at a high level the management requirements for new/changed services
3.1.2 Describe at a high level the requirements for planning new/changed services
3.1.3 Describe at a high level the requirements for designing new/changed services
3.1.4 Describe at a high level the requirements for transitioning new/changed services

58
3 Service Design and Transition
3.1 Basic concepts of Service Design and Transition
3.1.1 General
The objective of the design and transition of new or changed services process is to establish and
implement the necessary plans to control the delivery of the new or change services offered by the
provider.
This process works closely with control processes (Change Management, Configuration
Management and Release and Deployment Management) and applies not only to new or changed
services but also to the withdrawal of services and the transfer or recovery of services to or from
third parties.
Even though control processes are at the
core of managing all changes to the SMS
and the services, the scope of this process
goes beyond the junction of the three
control processes. According to ISO/IEC
20000-2, this process should be applied to
new or changed services that are either
high risk or have a potentially major impact
on services or the customer, or wherever
there are interfaces with tasks or
deliverables that fall outside the scope of
SMS. Figure 3.1: Main processes in transition (Source: ITeratum)
The service provider will determine for what changes it is appropriate to use the new or changed
design and transition process (e.g. when the change affects more than one service or location,
where the risk of infringing any protection data law exists, etc.) For each provider and situation it is
quite usual that the criteria vary.

59
3.1.2 Plan new or changed services
Any new or changed services to which Section 5 of the ISO/IEC 20000:2011 standard applies
should be managed as a project due to the size, risks and scope of the changes. The service
provider should consider the potential impact of such a service and ensure a strong coordination
between the change management process and the project management roles and authorities, from
the earliest possible stage of the project.
Figure 3.2: The planning elements (Source: ITeratum)
When another party is involved in the new or changed services, the service provider should do a
thorough review. The review should evaluate the capability of the other party to fulfill their
commitments, including the agreed service requirements. The review should also evaluate the risk
to the existing services and support environment.
If there were some other party involved in the project besides the service provider (suppliers,
stakeholders, etc.), the service provider should do a thorough review of the ability of the other
parties to fulfill the commitments agreed with the customer as well as the risk these parties raised
for the project.
If a service is to be removed, this should be planned and documented in a service removal plan.
The plan should include:
 The conditions where removal applies
 The objectives and success factors of the removal
 Governance of processes operated by other parties
 Roles, responsibilities, constraints and risks
 Activity breakdown, milestones and deliverables

60
 Agreed completion criteria for the removal and end of service provider’s responsibility
 The date when the service is no longer available to the users and the date when the
service is removed
3.1.3 Design and development of new or changed services
The design of the service should be documented and agreed upon by all the interested parties prior
to the development stage. The design should take into account current service requirements and
information security considerations, as well as the resource capacity projections for growth during
the anticipated life of the service. Likewise, this stage should ensure that the resulting designs meet
the business requirements.
Design and development should include the following items, as appropriate:

 The activities of design and implementation, transition, operation and maintenance for
acceptance of services
 Required inputs to and outputs from each activity
 Planning, resource organization, teams organization and responsibilities
 Organizational and technical interfaces between different individuals or groups
 The analysis of the possible risks
 Training required for every team
 Documentation
3.1.4 Transition of new or changed services
The main intent of this stage is to ensure that the service requirements are met. The transition of
services should include the building, test and acceptance of the new or changed services followed
by making operational the new or changed services through the Release and Deployment
Management process, under the supervision of the Change Management process.
The transition should be reviewed with the customer and interested parties to establish that it is
ready for live operation. To this end, a number of service acceptance criteria should be previously
set in order to get the customer compliance.

61
To help prepare for the exam, we have included a number of conceptual questions (the answer key
can be found at the end of this workbook). Additionally you are provided with an overview of terms
with which you should be familiar.
1. In which cases it is especially adequate to apply the Design and Transition of new or changed
services process?
2. Which is the approach that should be used when planning a modification of an existing service
that is vital for the business?
3. List three elements to be considered when designing new services.
Exam Terms
New or changed services, planning, design, development, service transition.

62
The delivery processes and their relationships:
After reading Chapter 4, you will be familiar with the delivery processes. This will allow you to reach
the following objectives:
4.1 Understand the service delivery processes (Service Level Management, Service Reporting,
Service Continuity and Availability Management, Budgeting and Accounting for Services, Capacity
Management and Information Security Management) (15%)
4.1.1 Describe the objectives and quality requirements
4.1.2 Describe the activities and practical application for each process

63
4 The service delivery processes and their
relationships
4.1 Service Level Management
Objective: to ensure that an agreed service is provided and that service targets are met. This
process ensures that agreed services and service targets are documented in a way that is easily
understood by the customer.
The Service Level Management (SLM) process should define, agree, document, monitor, report
and review the services delivered. The SLM process works closely with the Business Relationship
Management (BRM) process and the Supplier Management Process in order to ensure a correct
end-to-end service delivery. Customer satisfaction is a key element for success.
4.1.1 Terms and Definitions
Term Definition
Service Level Acceptable level of service quality.
Service Level Agreement (SLA) Documented agreement between the service provider and
customer that identifies services and service targets.
Service Level Requirements (SLR) Detailed list of customer requirements on various aspects of
an IT service. SLRs are essential to reach SLAs.
Service Catalogue A structured document with information about all IT services
delivered.

64
4.1.2 Documentation of service commitments
SLAs may need to be supported by agreements with suppliers external to the service provider's
organization, or with internal groups. These supporting agreements with suppliers can be known as
underpinning contracts. Supporting agreements with internal groups can be known as operational
level agreements (OLA).
Figure 4.1: Providers, suppliers & agreements (Source: ITeratum based on EXIN materials)
4.1.3 Service Catalogue
The catalogue should hold information common to all of the services or most of them, in order to
simplify the SLAs. The catalogue of services should include a variety of information, including:
 The name, description and targets of the service
 Contact points
 Service hours, support hours and exceptions
 Dependencies between the services
 Dependencies between the services and service components
 Security arrangements

65
4.1.4 Service Level Agreements (SLA)
An SLA is a documented agreement between the service provider and the customer that describes
the service and service targets. An SLA also specifies the responsibilities of the service provider
and the customer. A single SLA may cover multiple services or multiple customers.
SLAs need to be reviewed at regular intervals and all changes made to both services and SLAs will
be under the control of the Change Management process.
The minimum content that should be in an SLA is:
 Brief service description

 Service targets
 Supporting and related services
 Validity period and/or SLA change control mechanism
 Brief description of communications, including reporting, review frequency and schedule
 Service hours (including exceptions, holidays and critical business periods)
 Scheduled and agreed interruptions to services
 Customer responsibilities
 Service provider liability and obligations
 Impact and priority guidelines
 Escalation and notification process
 Complaints procedure
 Upper and lower workload limits
 High level financial management details
 Glossary of terms
 Any exceptions to the terms given in the SLA

66
4.2 Service Reporting
Objective: to ensure the production of agreed, timely, reliable, accurate reports to facilitate
informed decision making and effective communication.
The success of all service management processes is dependent on the use of the information
provided in service reports. Reactive and proactive reports should be produced. Reactive reports
show what has happened, after it has happened. Proactive reports give warning of significant
events, thereby enabling preventive action to be taken beforehand. Where there are multiple
suppliers, lead suppliers and sub-contracted suppliers, the reports should reflect the information
related to all their activities.
Term Definition
Service Report Document agreed between the service provider and the
customer that contains specific information for later
evaluation.
4.2.2 Minimal Requirements
Each service report should be clearly described including its identifier, purpose, frequency,
audience, and details of data source. Service reports are intended to verify the customer's
requirements and identify needs. Service reports for customers and the business should include at
least:
 Performance against service targets

 Non-conformities (e.g. SLA breaches)
 Workload characteristics (resource usage)
 Performance reporting on major events (incidents and changes)
 Projections of current trends
 Customer satisfaction evaluation

67
4.3 Service Continuity and Availability Management
Objective: to ensure that agreed service continuity and availability commitments can be met, within
agreed targets.
This process includes both, a focus on prevention of and recovery from service failures or disasters,
as well as ensuring the provision of sufficient service availability to meet service requirements.
Service providers may operate the service continuity and availability management process as two
separate processes that are linked or as a single process, depending on the service provider's
circumstances.
Term Definition
Availability Ability of a service or service component to perform its
required function at an agreed instant or over an agreed
period of time. Availability is normally expressed as a ratio
or percentage of the time that the service or service
component is actually available for use by the customer to
the agreed time that the service should be available.
Availability Plan Document containing the actions, measures, costs,
resources and time planning intended to deliver the agreed
availability levels.
Service Continuity Capability to manage risks and events that could have
serious impact on a service or services in order to
continually deliver services at agreed levels.
Service Continuity Plan Document containing the actions, measures, costs,
resources and time planning aimed at maintaining the
service continuity and, where appropriate, to recover from a
disaster scenario.
Risk Effect of uncertainty on objectives. Risk is often expressed
in terms of a combination of the consequences of an event
and the associated likelihood of occurrence.

68
4.3.2 Activities
The service continuity and availability management

process should allow for both reactive and proactive
aspects of the process. Proactive aspects will allow
measures to be taken to prevent a lack of service or
disasters. Reactive aspects will allow carrying out
recovery actions from an incident or, in the worst case,
from a disaster.
Figure 4.2: Continuity and availability

aspects (Source: ITeratum)
4.3.2.1 Service continuity policy
The service continuity policy should be focused on supporting business continuity. The policy
should address the roles, activities and responsibilities required to meet the agreed service
requirements.
The policy should take into account agreed service hours and critical business periods. The service
provider should identify the requirements separately for each customer group and service,
including:
 The maximum acceptable continuous period of lost service
 The maximum acceptable periods of degraded service
 The acceptable degraded service levels during a period of service recovery
The service continuity policy should be reviewed at agreed intervals, at least annually. Any
changes to the policy should be formally agreed between the service provider and the customer.
4.3.2.2 Risk assessment and management
Once the strategy has been defined in the continuity policy is the time to carry out the risk
assessment and management. The risk assessment should include business impact analysis of a
major loss of service. Risk mitigation measures meeting the business requirements and plans
should be agreed with the business.

69
Service continuity and availability requirements for normal service and after a major loss of service
should include at least the following:
 Access rights (who can have access rights under normal conditions and who can have
access rights following a major loss of service)
 Response times (under normal circumstances and also after a major loss of service)
 End-to-end availability of services (e.g. for normal service what is the required availability of
components required to deliver a complete service and after a major loss of service what
priority should be given to each service).
4.3.2.3 Service continuity and availability plans
Service continuity plans should be based on the requirements defined in the service continuity
policy, a business impact analysis and risk assessments. These plans should be under the control
of the Change Management process, and responsibilities for invoking should be clearly assigned.
Service continuity testing should be undertaken at least annually or after every major business
change. All the relevant parties should be informed about the existence of service continuity plans
and appropriate awareness and training should be provided. The plans should contain the following
information:
 Dependencies between services and service components

 Recording and maintenance of plans
 Responsibility of each participant in the service continuity plan, clearly stating who can
invoke the plan
 Data, documents and software, and any equipment and personnel necessary for service
restoration following a disaster
 Standby arrangements with suppliers, where appropriate
The availability plan should identify the business needs and customer requirements, design
requirements, technical specifications and project planning activities required to meet the business
availability requirements both currently and in the future. The availability plan should be reviewed
and revised regularly, at least annually and after any major change.

70
4.3.2.4 Monitoring and testing
Service continuity testing
Service continuity testing should be undertaken after every major business change and change to
the service environment. The scope of service continuity testing should include the return to normal
service operation following a disruption and should involve the joint participation of the customer
and the service provider, based upon an agreed set of objectives.
Review after a service continuity test should be conducted to assess the achievement of the aims
and objectives of the test and to identify any areas of weakness or opportunities for improvement.
Availability monitoring and testing
Service continuity and availability management should, according to the agreed availability plan:
 Monitor and record availability of the service

 Maintain accurate historical data regarding availability of services
 Make comparisons with requirements defined in SLAs to identify any nonconformity to the
agreed availability targets
 Predict future availability requirements
A regular availability testing schedule should confirm that the availability solutions are achievable
and appropriately resilient. Availability, reliability and resilience mechanisms should be reviewed
and tested after any major change.

71
4.4 Budgeting and Accounting for Services
Objective: to support the service provider's understanding of and ability to manage the total cost of
services.
In order to achieve this objective, the process should ensure that:
 The costs of services are understood

 Reliable forecasting of both costs and budget is achievable
 A budget is developed and used by service management
processes
 Unexpected variances of costs or budget are managed
 The budget is adhered to so that service delivery is funded
adequately throughout the budget period
 Budgets and costs are reviewed regularly
The budgeting and accounting process should control the financial aspects of services and service
components, and provide information that supports both the live operation of services and the
funding of service changes and improvements.
This process should be performed by the service provider, regardless of whether other aspects of
financial management are performed elsewhere in the organization, and should be aligned with and
receive information from the financial processes of the service provider's organization.
Term Definition
Budgeting Prediction of future funding requirements for the agreed
delivery of services.
Accounting Tracing of the service provider regarding funding usage.
Charging Billing to customers for services provided.

72
4.4.2 Policy
The service provider should have a documented policy and procedures for the financial
management of services. The policy should include the cost types used in the budget for cost
allocation and an explanation of how overhead costs are apportioned. Criteria should be defined to
allow for a budget and accounting analysis for each service.
The resources provided for the budgeting and accounting for services process should be based on
the needs of the customer, service provider, suppliers and other interested parties for financial
detail, as defined in the policy.
4.4.3 Cost types
The service provider should select categories for cost entries in the budget that are useful for
service management. For example, service providers should define cost models in line with
services and their components, as defined in the catalogue of services. Those categories should be
easily measurable (e.g. hardware, software, maintenance, personnel). The service provider should
also consider cost types such as:
 Assets used to provide the services

 Shared resources (e.g. level 1 support)
 Overheads such as office space
 Services delivered by suppliers
 Service management personnel
4.4.4 Overheads and direct costs
Apportionment of overhead costs may be based on a variety of mechanisms, such as a flat rate
cost, a fixed percentage, or based on the size of an agreed variable element of delivered services.

73
4.4.5 Budgeting
Forecast of costs and revenue for budgeting should take into account the planned changes to
services during the budget period. Budgeting and cost tracking should support planning to operate
and improve the services so that service levels can be maintained throughout the year.
4.4.6 Accounting
Accounting activities should be used to track costs to an agreed level of detail over an agreed
period of time.
Accounting reports should provide sufficient information to calculate the costs of low service levels
or costs resulting from a loss of service. To calculate these costs, the service provider should have
a clear understanding of costs of resources required to deliver the service (personnel, components,
facilities, and any aspects of the service delivered by other parties).
4.4.7 Charging
Charging is not included in ISO/IEC 20000-1 but it is recommended that where charging is in use,
the charging mechanism is defined and understood by all parties.

74
4.5 Capacity Management
Objective: to ensure that sufficient capacity is provided to meet the current agreed capacity and
performance requirements.
Resources should be balanced to fulfill both current and agreed

capacity and performance requirements, and to be prepared to fulfill
future requirements.
The capacity management process should include both reactive and

proactive activities. The reactive activities should focus on ongoing
monitoring, tuning, analysis and improvement of operational capacity.
The proactive aspect of the process should focus on planning to meet
future agreed business demand.
The capacity management process should develop plans to ensure that capacity requirements can
be agreed on, forecast and met.
Term Definition
Capacity Maximum performance that can be obtained from a
component or IT service. For certain types of components,
the capacity may be the size or the volume, for example in
the case of a disk drive.
Capacity Plan Document which sets out the actions, measures, costs,
resources and time planning designed to deliver the agreed
capacity levels, both present and future.

75
4.5.2 Activities
The activities of the Capacity Management process include:
 Assess, document and agree the capacity requirements for new or changed services
 Being involved in the design of new or changing services and make recommendations for the
procurement of components and resources
 Set, monitor and use capacity thresholds, warnings and alarms to automatically manage and
improve the utilization of components and the performance of services
 Maintain data and information used by the capacity management process
 Producing capacity and performance reports, which provide valuable information to many
service management processes
 Forecasting of future component and service capacity and performance
4.5.3 Capacity plan
The capacity plan should document the actual performance, the expected business capacity needs
and the service requirements. It should be produced at least annually. The capacity plan should
include:
 Current and forecast service usage, ideally including recommendations regarding

opportunities to influence the demand for capacity
 Current and forecast resource usage and performance
 The impact on capacity and performance of agreed requirements for availability, service
continuity and service targets
 Time-scales, thresholds and costs for upgrades to service capacity
 Summaries of relevant business plans, scenarios and patterns of business activity
 Summary of changes in business activity, including user profiles if available
 Potential impact of new technologies on capacity and performance
 Data and procedures to enable predictive analysis (e.g. modeling techniques)
 Potential impact on statutory, regulatory, contractual and organizational requirements

76
4.6 Information Security Management
Objective: to ensure that security controls are in place to protect information assets and that
information security requirements are incorporated into the design and transition of new or
changed services.
Information security should be the result of a system of policies and

procedures designed to identify, control and protect the organization’s
information and any resources used in connection with its storage,
transmission and processing. Management should ensure that clearly
defined information security management objectives are in place and that
they align to business needs.
Term Definition
Information Security Policy Policy governing the vision of the organization on the
management of information security.
Risk Effect of uncertainty on objectives. Risk is often expressed
in terms of a combination of the consequences of an event
and the associated likelihood of occurrence.
Confidentiality Security principle that requires that only authorized
personnel have access to a particular set of data.
Integrity Security principle certifying that the data and configuration
items are changed only by authorized personnel and
activities to ensure accuracy of data.
Availability Security principle that ensures the information is available to
authorized users whenever they require access to it.

77
4.6.2 Information Security Policy
Service requirements, statutory and regulatory requirements and contractual obligations should
provide the basis of an information security policy. The policy should give direction on the use of
physical, administrative and technical information security controls and should be approved by
managers accountable for the SMS and the services.
Management should ensure that personnel, customers and suppliers and internal groups have both
adequate understanding of the contents of the policy and an appreciation for the importance of
adhering to it.
Management should also ensure that the information security policy is used as part of risk
assessments and during information security audits. The policy should provide guidance on the
criteria for accepting risks and the approach for managing identified information security risks.
Internal information security audits should be conducted at regular intervals and their results
reviewed to identify opportunities for improvement of information security.
Personnel with specialist information security roles can find it helpful to become familiar with the
ISO/IEC 27000 standards, which include guidance and advice for Information Security
Management Systems.
4.6.3 Information security controls
The information security controls are designed to safeguard security of information assets through
the confidentiality, integrity and availability (accessibility). Information security controls can be
physical, administrative or technical.
The service provider should ensure that the controls are documented, describing their related risks
and risk mitigation strategies. The service provider should also define information security controls
to manage external organizations and individuals that need to access, use or manage the
organization’s information or services.

78
4.6.4 Information security changes and incidents
Information security changes and incidents should be processed in accordance with the Change
Management process and the Incident and Service Request management process.
Requests for change (RFC) should be assessed to identify any new or changed information
security risks as a result of the proposed change. The RFC should also be assessed against any
potential impact on existing services, processes, policies or the existing information security
controls.
The service provider should use the results of reviews of information security incident records to
identify potential deficiencies and opportunities for improvement.

79
Sample Questions
1. How can an organization determine the effectiveness of the Service Level Management
(SLM) process?
A. By checking contracts with suppliers
B. By defining Service levels
C. By measuring customer satisfaction
D. By reporting on all incidents
2. Where are agreements regarding Service delivery and its relationship to Information security
management recorded?
A. In a Capacity Plan
B. In a Configuration Management Database (CMDB)
C. In a Definitive Software Library (DSL)
D. In a Service Level Agreement (SLA)
3. The Service catalogue for a network company states that LAN authorization requests will be
complete within three weeks. A manager who is a client of the network company does not
believe this is achievable and requests a report demonstrating achievement of the catalogue
statement. Which process is responsible for providing this report?
A. Availability Management
B. Change Management
C. Problem Management
D. Service Level Management (SLM)

80
4. In Continuity management various precautionary measures are taken to ensure Services are
delivered during/after a catastrophe. An example would be having an emergency electrical
power supply. Which process could also initiate this kind of measure?
B. Capacity Management
C. Change Management
D. Incident Management
5. What is the intent of the Service continuity and availability management processes?
A. To ensure agreed effective communication towards Customers
B. To ensure that agreed levels of service commitments to Customers can be met in all
circumstances
C. To ensure that agreed Service continuity and availability commitments to Customers can be
met within agree targets
D. To ensure that agreed Service continuity and availability commitments to providers can be
met in all circumstances
6. What is the description of Integrity in the Information security management process?

A. Access to the data at any moment
B. Protection of the data
C. The capacity to verify the correctness of the data
D. The correctness of the data

81
7. Managing the availability of a service as part of an overall Service Management initiative is
important for efficient service delivery. What is the reason behind managing Service
Availability?
A. Most service providers have Service Level Agreements (SLAs) with their customers so
availability is guaranteed.
B. Outsourcing is now a more valid option for today's IT, so availability of a service is left to the
capability of the outsourcer.
C. Service management tools provide real-time performance information, thus managing
availability is debatable.
D. The business is more dependent on IT in order to meet corporate goals, thus achieving
expected availability is crucial.
8. A power failure has knocked out the entire IT infrastructure. Fortunately, a Service Continuity
Plan is available. At what point should the Service Continuity Plan be invoked?
A. Immediately, as the service can no longer be used.
B. When the failure will likely extend beyond the targets defined in the Service Level Agreement
(SLA).
C. When the Incident Manager thinks this is necessary.
D. When the time within which the failure should be solved, has exceeded.
9. Where would an IT service for the customer be defined?

A. In the IT framework
B. In the Service Catalogue
C. In the Service Level Agreement (SLA)
D. In the Service Report

82
10. What process, other than Business relationship management, would review service
performance with the customer?
B. Service Reporting
C. Service Level Management
D. Budgeting and Accounting for Services
Conceptual Questions:
1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the
parties that establish the agreement?
2. What is the objective of the Service Reporting process?
3. What is availability?
4. What are the three key elements to take into consideration in the Budgeting and Accounting for
Services process?
5. List four characteristics to take into account in the Capacity Plan.
6. What is confidentiality within the Information Security Management process?
7. What is the objective of the Information Security Management process?
Exam Terms
Service level, SLA, OLA, underpinning contract, SLR, service catalogue, service report, availability,
availability plan, continuity, continuity plan, risk, monitoring, testing, budgeting, accounting,
charging, cost types, capacity, capacity plan, information security policy, confidentiality, integrity,
security controls.

83
The relationship processes and their relationships:
After reading Chapter 5, you will be familiar with the relationship processes. This will allow you to
reach the following objectives:
5.1 Understand the relationship processes (15%)


84
5 The relationship processes and their relationships
This chapter deals with Section 7 of ISO/IEC 20000:2011. The relationship processes describe the
characteristics of the Supplier Management and Business Relationship Management processes.
The aim of both processes is to ensure that all parties are aware of the business needs and the
capabilities, limitations, responsibilities and obligations that concern them.
Figure 5.1: Supplier–Provider–Customer Relationships (Source: ISO/IEC 20000-1:2005)
5.1 Business Relationship Management
Objective: to ensure that mechanisms are established to manage the relationship between the
service provider and the customer(s).
There should be a strong link between the Business Relationship Management (BRM) process and
the Service Level Management (SLM) process. The SLM process should define and use measures
to evaluate service level performance. In contrast, the BRM process should seek to work closely
with the customer to understand future business objectives and direction.

85
Term Definition
Customer satisfaction Degree of satisfaction with the performance that the
customer perceives regarding the agreed service(s).
Service complaint Formal disagreement with the service delivered. To be a
justified claim, the disagreement should be related to what is
agreed in the Service Level Agreement (SLA).
Escalation Within the context of the Business Relationship
Management process, transfer of a service complaint to a
higher authority, usually within the organization.
5.1.2 Activities
Identify Interested The service provider should identify and document its customers (user
parties groups and/or business units), other interested parties, suppliers and
dependent sub-contracted suppliers, in order to fully understand the
dependencies between services.
Identify The service provider should identify a named individual(s) to be a clear

representatives single point of contact, who is responsible for managing the relationship
and customer satisfaction for each customer. This individual may be
chosen to manage the customer relationship on a fulltime basis, or may
have the role combined with another role, if appropriate.
It is possible for the roles of business relationship manager and service

level manager to be performed by the same person, due to the close
relationship between the BRM and SLM processes. If this is the case, the
role descriptions should distinguish the different nature of the roles: the
BRM process is strategic while the SLM process is operational or tactical.
Not everyone is able to combine both profiles.

86
Definition of The communication mechanisms established with the customer should
communication include ad-hoc meetings and informal meetings, in addition to formalized
mechanisms and documented meetings. These mechanisms should aid understanding
the business environment in which the service operates including business
needs, customer requirements and major changes. The service provider
should use this information to respond to the identified needs.
Reviews The service provider should hold formal meetings with the customer to
review customer satisfaction, strategic direction and major exceptions to
the performance of the services. The meetings should be scheduled in
advance and held regularly, at least annually. Meetings should be more
frequent when the service provider and the customer are managing a high
rate of change or when there are concerns about the quality of services.
Changes identified as necessary from these reviews should be reflected in

the appropriate SLAs and should be managed through the Change
Management process.
Customer The service provider should establish a formal mechanism for recording
satisfaction survey customer satisfaction. The frequency and scale of any measurement
should be agreed with the customer in advance, and this should include
the sample of users to be surveyed.
Satisfaction survey results should be measured over time, so that trends in

satisfaction can be tracked and any necessary issues or improvements
identified.
A documented service complaints procedure should be in place, including

recording, investigating, acting upon, reporting and closing any service
complaints received. It should include an escalation procedure to be used
if the customer does not agree to or accept the proposed actions or
resolution. The complaint should remain open until the customer provides
formal agreement that it can be closed.

87
5.2 Supplier Management
Objective: to manage suppliers in order to ensure the provision of seamless, quality services.
Service providers can use suppliers to operate some parts of the processes or services, or to
supply components such as hardware and software. All suppliers should use this process. The
supplier management process can be an adequate supplement for the Service Level Management
process as far as the management of internal groups and customers acting as suppliers are
concerned.
Figure 5.2: Supply Chain (Source: ISO/IEC 20000-1:2011)
Term Definition
Lead supplier Supplier in charge of any other subcontracted supplier. The
lead supplier should record the names of all subcontracted
suppliers and their responsibilities and relationships, making
this information available to the service provider.
Subcontracted supplier Supplier contracted and managed by the lead supplier,
rather than the service provider.

88
Term Definition
Contractual disputes Disagreement between the parties who signed the contract.
Premature Termination Contract termination before the scheduled date. Situations

that may cause premature termination, as well as actions to
take, should be agreed in the contract.
5.2.2 Activities
5.2.2.1 Managing contracts
The service provider should designate a contact person responsible for the relationship with each
supplier. The contract should include the requirements and service levels required of the supplier.
The service targets agreed on in the supplier’s contract should be articulated to ensure that the
service provider’s SLAs with the customer can be met.
All supplier contracts should contain a review schedule. At least an annual review should be
scheduled. If a contract includes penalties or bonuses, their basis should be clearly stated and
compliance to the requirements and service targets measured and reported upon.
The service provider should, at planned intervals, obtain evidence that the supplier is meeting all
requirements of the contract. All outcomes of meetings, reviews and audits concerning the
subcontracted service should be reviewed to identify opportunities for improvement. Where
changes are required, they should be controlled using the Change Management process.
5.2.2.2 Managing sub-contracted suppliers
It should be clear whether the service provider is dealing with all suppliers directly or with lead
suppliers, each taking responsibility for sub-contracted suppliers.

89
The service provider should obtain evidence, from lead suppliers, that lead suppliers are formally
managing sub-contracted suppliers. An example of this relationship is shown in the following
picture:
Figure 5.3: Subcontracted suppliers (Source: ISO/IEC TR 20000-3)
5.2.2.3 Contractual disputes management
Both the service provider and the supplier should agree on a process for managing disputes, and
this process should be defined within the contract between provider and supplier. An escalation
path should be available for disputes that cannot be resolved through the normal means of
communication. The process should ensure that disputes are recorded, investigated, acted upon
and formally closed.
5.2.2.4 Contract termination
The contract management process should include provision for contract termination, either at the
expected end or prematurely. It should also allow for the transfer of the service to another
organization at the end of the contract (costs, intellectual property rights, hardware, software
licences and data).

90
Sample Questions
1. What is a responsibility of the Service provider with regard to Supplier Management as

defined in ISO/IEC 20000-1?
A. To ensure that a process exists for the procurement of suppliers
B. To ensure that contracts with suppliers are aligned with SLAs of the business
C. To ensure that subcontracted suppliers meet contractual requirements in all circumstances
D. To ensure that supplier processes and procedures are defined
2. What document is directly supported by the supplier contract?

A. Service Level Agreement (SLA)
B. Operational Level Agreement (OLA)
C. Service Management Plan
D. Service cost model
3. The relationship processes describe the relationships with the business and with the
suppliers. What do the relationship processes ensure?
A. That business requirements and outcomes are the primary driver in managing the business
and supplier relationship.
B. That the business and suppliers are directly informed of major incidents.
C. That the service levels for all services are consistent in the supply chain.
D. That there is a frequent contact between the suppliers and the business to resolve issues.

91
1. List the activities of the Business Relationship Management process

2. What is called "service complaint"?
3. What is a “premature contract termination”?
4. What is the objective of Supplier Management?
Exam Terms
Lead supplier, subcontracted supplier, service complaint, escalation, customer satisfaction,

contract management, conflict management, contract termination.

92
The resolution processes and their relationships:
After reading Chapter 6, you will be familiar with the processes that support the organization in their
daily activities. This will allow you to reach the following objectives:
6.1 Understand the resolution processes and their relationships (Incident and service request
management, Problem management)

93
6 The resolution processes and their relationships
6.1 Incident and Service Request Management
Objective: to manage incidents and service requests consistently to ensure that incident resolution
or request fulfillment is achieved within agreed service targets and time frames.
Data collected as part of the incident and service request process should be used to monitor
performance against relevant service targets and can be included in service reports to the
customer.
Term Definition
Incident An incident is considered to be an unplanned interruption to
a service, a reduction in the quality of a service or a failure
of a configuration item that has not yet impacted a service.
Service Request Request for information, request for guidance, request for
access to standard services or pre-approved changes.
Priority Relative importance of an incident, problem or change.
Priority is based on impact (effect of an incident, problem or
change on business processes) and urgency (how long it
will be until an incident, problem or change has a significant
impact on the business).
Escalation Within the context of the Incident and Service Request
Management process, transfer of an incident or service
request to a higher technical (functional) or hierarchical level
for resolution.

94
6.1.2 Activities
The incident and service request management process should be supported by two separate
documented procedures. The first is for the management of incidents, the second for the
management of service requests. The two procedures should define the following:
Recording Mechanisms for recording incidents and service requests, ensuring proper
use, storage and retrieval of data.
Classification and All incidents and service requests should be classified so they can be acted
Priority upon in line with their priority and service target commitment. Classification
should include determining which CIs are impacted, which in turn should help
identify the personnel who may need to be involved in resolution or fulfillment.
The priority should be agreed with the customer upon receipt of the incident or
service request, or as soon as possible afterwards. The determination of the
priority should be based on an assessment of the impact and urgency of the
incident or service request in question.
Escalation Rules for escalations, including triggers (events that cause the escalation),
functional or hierarchical types and authority to invoke.
Resolution Detailed definition of the activities to be carried out to resolve the incident or
service request, including access to necessary information (configuration
management database, known errors database, service catalog and other
relevant documents and records).
Closure Definition of the actions required to close an incident or service request record
on the user confirmation that the incident has been resolved or the service
request fulfilled.
Throughout the whole process, appropriate communication channels with customers and users
should be established in order to inform on the status of their requests or incidents.

95
6.1.3 Major incident procedure
The incident and service request management process should include a documented procedure
specifically for the handling of major incidents. A major incident generally imposes higher impact
and special attention is required to resolve it. The major incident procedure should define:
 What constitutes a major incident

 Who has the authority to declare a major incident and how it will be declared
 Who should coordinate and control activities and who should be involved
 How resolution efforts will be conducted
 What communications should be provided during and following major incidents
 The format, timing and participants required for a major incident review following resolution
 The interfaces with the service continuity and availability management process, in the
event that service continuity invocation is required

96
6.2 Problem Management
Objective: to identify the unknown, underlying root causes of incidents and proposing permanent
resolutions through the change management process, as well as proactively prevent incidents
from occurring through trend analysis and recommendations of preventative actions.
Term Definition
Problem Root cause (origin) of one or more incidents. The cause is
not usually known at the time a problem record is created,
and the problem management process is responsible for
further investigation.
Workaround Temporary action carried out for reducing or eliminating the
impact of an incident or problem for which a full resolution is
not yet available.
Known Error Problem that has an identified root cause or a workaround
available.
6.2.2 Activities
The problem management process should include procedures for the activities listed below:
Identification There should be a procedure for identifying how a problem arises:

a) Detection of an unknown root cause of one or more incidents
b) The analysis of one or more incidents revealing an underlying
problem
c) A notification from a supplier or an internal group of a problem with a
component of the service

97
Recording Relevant details of the problem, including the date and time, and a cross-
reference to the incident(s) that initiated the problem record, should be
recorded.
Classification and Problems are categorized making use of the same classification criteria that
Priority are used in the incident and service request management process. Each
problem is given a priority for resolution according to its urgency and the
impact of related incidents. Based on this information, time and resources for
investigating the problem are allocated.
Investigation and At this point, the necessary steps are taken in order to investigate and
Diagnosis diagnose the root cause and identify a resolution. While the resolution is
achieved, the Problem Management process supports Incident Management
and Service Requests identifying workarounds. Problem diagnosis is
complete when the root cause is identified and a method of resolving the
problem is identified.
Tracking A tracking of the progress through the problem management process is

performed, including details of the persons responsible for progressing the
problem and a record of all resources used and actions taken.
Escalation Setting rules for escalation, defining authorities, responsibilities and escalation
points.
Documenting When the root cause and a proposed method of resolving the problem are
Known Errors identified, a known error is recorded in the known error database, together
with details of any temporary fix. This record is not closed until after the
permanent solution has been successfully implemented via the change
management process. Known errors are reported to the Incident and Service
Request Management process so they can make use of the information about
them.
Problem record Once the problem has been mitigated or eliminated by appropriate resolution,
closure the problem record is closed.
After every major problem a review should be conducted to examine what was done correctly, what
was done wrong, what can be improved in the future and how to prevent similar situations.

98
6.2.3 Comparison between Incident Management and Problem Management
As we have seen in previous sections, both processes are closely related but should be kept
separately because of their characteristics:
Incident Management Problem Management

 The objective is to restore the service as  The objective is to minimize or avoid the
soon as possible, with minimal impact (“”it impact of incidents and problems ("it should
has to be solved”) not happen again")
 Short resolution times.  Longer resolution times.
 Process very visible to the rest of the  The organization does not always perceive
organization. the results and the importance of this
process, but their absence would cause an
increase in incidents.

99
Sample Questions
1. When a service outage or other failure is reported, in what order will the processes be
executed?
A. Configuration Management, Incident Management, Change Management, Release
Management
B. Incident Management, Change Management, Problem Management, Release Management
C. Incident Management, Problem Management, Change Management, Release Management
D. Problem Management, Configuration Management, Release Management, Change
Management
2. Which process ensures that an interruption in the provision of services is diagnosed as

quickly as possible?
A. Change Management
B. Incident and Service Request Management
3. What is the intent of Incident and Service Request Management?

A. To communicate with customers as to future service disruptions
B. To match new incidents to known errors
C. To restore services as quickly as possible
D. To track problems into the known error database (KEDB)

100
1. What is priority and which parameters it is based on?

2. List three elements that should be taken into account in a major incident procedure.
3. What is a workaround?
Exam Terms
Incident, service request, priority, urgency, impact, escalation, major incident, problem, known error,
workaround, major problem.

101
The control processes and their relationships:
After reading Chapter 7, you will be familiar with the processes responsible for controlling the
changes that occur in the processes and elements involved in the management of services. This
will allow you to reach the following objectives:
7.1 Understand control processes and their relationships


102
7 The control processes and their relationships

The three processes that will be studied in this section are
Change Management, Configuration Management and
Release and Deployment Management. They all work in
coordination, allowing the control of the activities carried out
in the SMS.
Figure 7.1: Control Processes

(Source: ITeratum)
7.1 Configuration Management
Objective: identification, control, recording, tracking, reporting and verification of configuration

items and the management of CI information in the Configuration Management Database.
Configuration Management establishes and maintains the integrity of information about services,
service components and CIs across the service lifecycle. The configuration management process
should also identify, manage and verify the information about relationships between CIs, as well as
the relationships between CIs and the services they support.
According to the standard ISO/IEC 20000:2011, the scope of the configuration management
process should exclude financial asset management but include an interface to the financial asset
management process.
Term Definition
CI CI stands for Configuration Item. A CI is an element that
needs to be controlled in order to deliver a service or
services.

103
Term Definition
CMDB CMDB stands for Configuration Management Database.
The CMDB is a data store used to record attributes of
configuration items, and the relationships between
configuration items, throughout their lifecycle.
Configuration baseline Configuration information formally designated at a specific
time (“photo”) during a service or service component's life.
The configuration baselines, along with their approved
changes, represent the current configuration information.
7.1.2 Concepts
Configuration management should document the definition of each type of CI and identify each CI
according to the configuration management policy and procedures. Configuration information is
recorded in a CMDB that includes data on configuration items, versions, relationships, baselines
and releases. The information for each CI should include:
 Identifier
 Description
 Status
 Location
 Relationships and associated records (RFCs, incident, problem and known error records)
Configuration information should be maintained by approved individuals and made available only to
approved interested parties.
7.1.3 Types of CIs
There are several elements that can be considered CIs. CI types should include:
 Services as listed in the catalogue of services and their related information and documents
(SLAs, agreements, contracts, service requirements, specifications of service design)
 Service components, including hardware, software and licenses, tools, applications,
documentation, supporting services

104
 All the releases of services, systems and software configuration baselines
 Master copies of CIs stored in physical and/or electronic libraries and in the CMDB
 Information security assets
 SMS documentation (policies, process documentation, procedures, plans)
7.1.4 Maintenance of CIs
No CI should be added, modified, replaced or removed/withdrawn without appropriate controlling

documentation (e.g. an approved request for change). The evolving status of CIs through their
lifecycle should be documented as a baseline triggered at designated times or under defined
circumstances.
To protect the integrity of systems, services and the

infrastructure, records of CIs and the CMDB should be held
in a suitable and secure environment. There should also be
a means for disaster recovery of the CMDB.
Configuration audit activities should be performed both at planned intervals and in response to
specific events. Adequate procedures and resources should be in place to:
 Verify that the service provider is in control of the information about all CIs and their
relationships within the scope of the process
 Verify that the service provider is in control of information about the location and quantity of
software licenses
 Provide confidence that configuration information is accurate, controlled and visible to
approved personnel
 Identify the cause of any discrepancies between the actual and expected configuration
information and resolve in coordination with the change management process
 Ensure that a configuration baseline is done at regular intervals and at least prior to the
deployment of a release into the live environment
 Ensure confidentiality and accessibility of the information in the CMDB

105
7.2 Change Management
Objective: to manage changes through their lifecycle, ensuring all changes are assessed,
approved, implemented and reviewed in a controlled manner.
The change management process provides a structured

approach for the effective implementation of changes that
minimizes risk and prevents incidents. To do this there
must be procedures to record, classify, evaluate, approve,
plan, develop, test and deploy the changes.
Term Definition
RFC RFC stands for Request For Change. An RFC is a proposal
for a change to be made to a service, service component or
the service management system. A change to a service
includes the provision of a new service or the removal of a
service which is no longer required.
Change Schedule A document that lists all authorized changes and their
planned implementation dates.
Standard Change A pre-authorized change that is low risk, relatively common
and follows a procedure.
Emergency Change A change that must be introduced as soon as possible, for
example, to resolve a major incident.
Normal Change A change that is not an emergency change or a standard
change. Normal changes can be categorized as major,
significant and minor, depending on the level of cost and
risk involved. This categorization can be used to identify an
appropriate change authority (role).

106
7.2.2 Change Management Policy
A change management policy should be established and documented that defines the CIs under
the control of the change management process. The change management policy should define
criteria for determining which changes should be managed through the change management
process and which changes should be managed through the design and transition of new or
changed services process. The criteria used to determine changes to be managed through the
design and transition of new or changed services process should include changes for the removal
of a service and changes for the transfer of a service from the service provider to another party.
The other party can be the customer or a supplier.
7.2.3 Reviewing the RFC
Recorded RFCs should be analysed at planned intervals to identify increasing levels of changes,
frequently recurring types, emerging trends and other relevant information. The results and
conclusions drawn from the analysis of changes should be recorded and used to identify
opportunities for improvement.
Once the change has been deployed and accepted, a Post-Implementation Review (PIR) is
performed to verify that change was successful and that there were no problems. In this case, the
request for change should be closed. The request for change can also be closed when a decision
of not carrying out the change has been made. When the request for change has been closed the
result of the change should be reported to the initiator of the request for change and other
interested parties.
7.2.4 Emergency Changes
For emergency changes there should be a defined process, and these changes should be
differentiated from other changes, due to the increased risk and often increased cost of approving
and implementing them. Emergency changes may be used to resolve emergency situations where
there is insufficient time to adhere to normal change process procedures, time lines and approval
authorities. Due to the urgency of implementing an emergency change, some details may be
documented retrospectively and some testing may not be possible. Even in that case, there should
be a plan to reverse or remedy the emergency change if it is unsuccessful.

107
7.3 Release and Deployment Management
Objective: to ensure that all releases are effectively deployed into the live environment so that the
integrity of hardware, software and service components is maintained.
The service provider should co-ordinate release and deployment

activities with the customers, users and interested parties. In many
cases releases should be coordinated with business change
projects and with business change management.
The release and deployment management process should plan and

manage individual releases for new or changed services in
coordination with both the design and transition of new or changed
services process and the change management process.
Term Definition
Release Collection of one or more new or changed configuration
items which are tested and then deployed jointly into the live
environment as a result of one or more changes.
Release Policy Policy governing the vision of the organization about release
and deployment management.
Emergency release Type of release carried out to implement emergency
changes. The procedure for this type of release must be
closely related to the process for emergency changes.
Acceptance Criteria Conditions set to validate a release before being deployed
into the live environment.

108
7.3.2 Release Policy
The service provider, together with the customer and interested parties, should develop and agree
on a release policy to help specify the frequency of releases and approach for each type of release.
A release policy can typically include:
 Definition of each type of release (emergency, major, significant, minor)
 The frequency of each type of release
 Definition of key roles and responsibilities
 Authority levels for release acceptance and deployment approvals
 Rules on verification and acceptance of releases
 Build and packaging of releases
 Release and deployment approach for each type of release including automated
deployment methods and tools where applicable
 A predefined and consistent testing approach
7.3.3 Release and Deployment planning
The release and deployment planning should be developed with the customer and interested
parties. Project management methods and techniques should be used to support release and
deployment planning. These plans should always ensure that all changes are coordinated with the
change management process and should include an assessment of the impact of the release,
associated risks and the identification of any mitigation measures that would be employed to
minimize any unacceptable risks. Release and deployment plans should include the following
components:
 Scope and content of the release
 Services and service components to transfer, decommission or retire including licences
 Timetable for the deployment of the release with dates determined in consultation with the
customer for each nominated site
 Roles and responsibilities for planning, coordinating, building, testing, deploying and
reviewing the release
 Procedures and methods that ensure the integrity of software, hardware and other service
components during deployment
 Test plans, including acceptance criteria
 The criteria that the release and deployment should be verified against, along with any
appropriate criteria to be used for reversing or remediation of failed releases

109
7.3.4 Deployment activities and procedures
Deployment activities and procedures should include the following:

 Distributing and delivering the CIs at the correct location and time
 Verifying that the services and service components have been tested according to the
acceptance tests
 Updating records for the new release and any CIs or services removed during the
changeover
 Recording any incidents, problems, known errors, unexpected events or deviations from
the plans
 Implementing corrective actions during the deployment
 Reversing or taking remedial action to correct an unsuccessful release

110
Sample questions
1. What is the recommendation with regard to the implementation of an emergency Change?

A. Only the senior manager should authorize emergency changes.
B. The Change process should be completely bypassed.
C. There is a separate process for emergency changes.
D. Where possible the change process should be followed.
2. Which question cannot be answered directly from the configuration management database
(CMDB)?
A. What incidents or problems are related to this workstation?
B. Which Configuration Items (CIs) does a specific service consist of?
C. Which members of staff of department X have moved to department Y?
D. Which Requests for Change (RFCs) have been submitted for a specific server?
3. Which aspects of a Request for change (RFC) shall be assessed?

A. Business benefits, risk and impact
B. Risk, emergency level and classification
C. Risk, impact and effect on the incident management process
D. Risk, scope and impact on supplier relationships

111
4. Targets for resolution should be based on priority. When scheduling an authorized change
which will eliminate a known error, what should not be taken into account?
A. The available skills
B. The competing requirements for resources
C. The effort/cost to provide the method of resolution
D. The number of previously reported Incidents for the particular Configuration Item (CI)
5. Which process is responsible for recording the logical and physical relationships between the
various components of the IT infrastructure?
A. Availability management
B. Configuration management
C. Release management
D. Incident management
6. When implementing a new version of an application both Change management and Release
management are involved. What is the responsibility of the Change management process
here?
A. Change management has the implementation and installation task in this phase.
B. Change management plays a coordinating role in this phase.
C. Change management must check whether the new application functions properly.
D. Change Management draws up the Request for change (RFC) in this phase.
7. New or changed services need to be accepted before being implemented into the live
environment. What shall be done after a new or changed service has been implemented?
A. A Post implementation review (PIR) is held comparing actual outcomes against those
planned.
B. An approach needs to be defined for interfacing to projects that are creating or modifying
services.
C. Nothing additional. The new or changed service goes into Business As Usual and will be
managed as a normal service.
D. The manner in which the Change shall be reversed or remedied, if unsuccessful, needs to be
defined.

112
8. What does a Release consist of?
A. A collection of one or more new or changed Configuration items (CIs) deployed into the live
environment
B. A change that consists of both hardware and software
C. A change of several CIs that are merged due to their size
D. A change of several CIs that are merged due to their minor impact
9. One of the activities required for effective planning, coordination and evaluation of requested
changes is assessing the impact and required resources. Which process or function is
responsible for this activity?
A. Change management
D. Service desk
10. In Change management, a number of activities take place between the acceptance of a
Request for Change (RFC) and the completion of the Change. Which activity is performed
first after acceptance of an RFC?
A. Building and testing the Change
B. Determining the urgency of the Change
C. Implementing the Change
D. Scheduling the Change
11. What must be included in the Release and Deployment Management procedures according
to ISO/IEC 20000?
A. The authorization and implementation of Emergency changes
B. The investigation and prevention of Information security incidents
C. The recording of all reported Incidents
D. Procedures to reverse an unsuccessful deployment

113
Conceptual questions:
1. What is a CI?
2. Describe three types of CI
3. What is a Standard Change?
4. Give an example of a change that should be managed through the design and transition of new
or changed services process.
5. Which is the object of Release and Deployment Management?
6. What are the acceptance criteria within Release and Deployment Management?
7. The procedure for emergency releases must be closely related to a procedure of another
process. Which one?
Exam Terms
CI, CMDB, configuration baseline, RFC, schedule of change, normal change, emergency change,
standard change, release, release types, emergency release, acceptance criteria.

114
8 List of Basic Concepts
This chapter contains the terms with which candidates should be familiar. Terms are listed in
alphabetical order. For concepts whose abbreviation and full name are included in the list, both can
be examined separately. Please note that knowledge of these terms alone does not suffice for the
exam; the candidate must understand the concepts and be able to provide examples.
Accountability
Accounting
Alignment
Analysis
Applicability
Assessment
Asset (management)
Attribute
Audit
Availability (management)
Awareness
Best practice
Budgeting
Business continuity (management/plan)
Business Impact Analysis
Business requirements
Capability
Capacity (management)
Certification
Change (management)
Classification
CMMI®
CobiT®
Complaints definition/process
Compliance
Component
Confidentiality
Configuration Baseline
Configuration Item (CI)
Configuration (management)
Configuration Management Database (CMDB)

115
Continual service improvement
Contract (management)
Contractual dispute
Contractual obligation
Control
Corporate policies and principles
Corrective action
Critical Success Factor (CSF)
Customer
Customer focus
Customer satisfaction (management)
Demand management
Deming Cycle
Disaster (recovery)
Distribution
Downtime
Effectiveness
Efficiency
Emergency change
Escalation (Functional)
Evaluation
Evidence
External audit
Forward Schedule of Change
Framework
Function
Governance
Impact
Incident (management)
Information security management
Input
Integrated processes
Integrity
Interface
Internal audit
ISO 9000
ISO/IEC 27001
ISO/IEC 20000
IT Service (Management)
ITIL® (IT Infrastructure Library)
Key performance indicator (KPI)
Knowledge base
Known error
Lead supplier
Major incident
Master copy
Maturity model

116
Measurable
Metric
Modeling
Monitor(ing)
Mutually beneficial supplier relationship
Non-availability
Non-compliance/non-conformance
Objectivity
Operational level agreement (OLA)
Output
Performance (Management)
Plan
Plan-Do-Check-Act (PDCA) methodology
Policy
Priority
Proactive identification
Problem (management)
Problem resolution
Problem review
Procedure
Process
Process owner
Process manager
Process-based quality management system
Quality (Assurance)
Quality management system
Quality objective
Quality policy
Quality standard
RACI (Responsible, Accountable, Consulted, Informed)
Record
Recovery (plan)
Relationship
Release (management)
Reliability
Remedial action
Request for change (RFC)
Requirement
Resource capacity (management)
Resource schedule
Responsibility
Restoring

117
Review
Risk
Role
Roll-out (planning)
Scoping
Security (management)
Security control
Security risk assessment
Service (management)
Service catalogue
Service continuity and availability management
Service continuity strategy
Service desk
Service level (management)
Service Level Agreement (SLA)
Service Level Requirements (SLR)
Service management policy/plan
Service provider
Service recovery
Service report
Service request
Six Sigma
Stakeholder
Subcontracted supplier
Supplier contract
Supplier (management)
Survey
Target
Tools
Traceability
Track
Throughput
Tuning
Underpinning contract
Urgency
User
Workaround
Workflow
Workload limit

118
Literature
Michael Kunas
Implementing Service Quality based on ISO/IEC 20000, 3rd Edition
United Kingdom, IT Governance Publishing, 2012
ISBN: 978 1 84928 442 4
e-pdf ISBN 978 1 84928 444 8
Mart Rovers
ISO/IEC 20000-1:2011: A Pocket Guide 2nd Edition
The Netherlands, Van Haren Publishing, 2013
ISBN 978 90 8753 726 5
e-pdf ISBN 978 90 8753 787 6
e-pub ISBN 978 90 8753 9733
ISO/IEC
ISO/IEC 20000-1:2011 Part 1: Service management system requirements
Switzerland, ISO, 2011
ISO/IEC
ISO/IEC 20000-2:2012 Part 2: Guidance on the application of service management systems
Switzerland, ISO, 2012

119
Organizations
Throughout this book there have been references to different organizations. Following are a
number of links to their corporate websites:
Organization Link / description
International Organization for http://www.iso.org

Standardization (ISO)
ISO (International Organization for ISO is an independent, non-governmental organization
Standardization) is the world’s largest made up of members from the national standards bodies of
developer of voluntary International 163 countries. ISO has a Central Secretariat in Geneva,
Standards. Switzerland, that coordinates the system.
ISO develops International Standards. ISO was founded in

1947, and since then has published more than 19 500
International Standards covering almost all aspects of
technology and business.
International Electrotechnical http://www.iec.ch

Commission (IEC)
The International Electrotechnical IEC is a not-for-profit, non-governmental organization,
Commission (IEC) is the world’s leading founded in 1906, whose Central Office is in Geneva,
organization that prepares and publishes Switzerland. IEC is made up of national committees from
International Standards for all electrical, 82 countries.
electronic and related technologies.
IEC provides a platform to companies, industries and
governments for meeting, discussing and developing the
International Standards they require.

120
Information Systems Audit and Control http://www.isaca.org
Association (ISACA)
ISACA provides practical guidance, As an independent, nonprofit, global association, ISACA
benchmarks and other effective tools for engages in the development, adoption and use of globally
all enterprises that use information accepted, industry-leading knowledge and practices for
systems. information systems.
ISACA is widely recognized for its certifications and

frameworks, including COBIT®, Val IT and Risk IT.
AXELOS http://www.axelos.com/officialsite.asp
AXELOS Limited are the current owner http://www.itil-officialsite.com/
of ITIL®.
AXELOS are a new joint venture company, created in 2013
by the Cabinet Office on behalf of Her Majesty's
Government (HMG) in the United Kingdom and Capita plc
to run the Best Management Practice portfolio, including
the ITIL® and PRINCE2® professional standards.
Software Engineering Institute (SEI) http://www.sei.cmu.edu

The Carnegie Mellon Software
Engineering Institute (SEI) works closely Founded in 1984, SEI is funded with federal funds from the
with defense and government U.S. government for research and development and is
organizations, industry, and academia to based at Carnegie Mellon University. One of its most
continually improve software-intensive popular products is CMMI ®, the Capability Maturity Model
systems. Integration.

121
Answers
Chapter 1
Sample Questions:
1. What is Six Sigma®?

A. It is a quality instrument to measure defects in process outputs.
B. It is a six step maturity model to improve the capability of business processes.
C. It is a standard that was developed for improvement of IT processes.
D. It is a structured, statistically based approach to process improvement.
A. Incorrect. It is not only a quality instrument, it encompasses an improvement methodology.

B. Incorrect. It is not a maturity model.
C. Incorrect. It was developed for general business processes.
D. Correct. Six Sigma® provides businesses with the tools to measure statistically and to improve
the capability of their business processes.
2. A service provider can integrate their Service Management System with a quality
management system or an Information Security Management System to provide the highest
level of service to the customer. Which standard supports the Quality Management System?
A. ISO 9001
B. ISO/IEC 27001
C. COBIT®
D. ITIL®
A. Correct.
B. Incorrect. This standard covers the Information Security Management System.
C. Incorrect. COBIT® covers the IT Governance framework.
D. Incorrect. ITIL® covers the service lifecycle framework for Service management.

122
3. What is the focus of the Deming Cycle?
A. Continual improvement
B. Customer orientation
C. Designing new services
D. Cost calculation
A. Correct. Continual improvement is the focus of the Deming Cycle.

B. Incorrect. The focus of the Deming Cycle is continual improvement and not specifically
customer orientation.
C. Incorrect. The Deming Cycle can be used during the design phase, but the focus is on continual
improvement during all phases.
D. Incorrect. The focus of the Deming Cycle is not cost calculation, but continual improvement.
4. The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes. What does the
Act phase of this methodology cover?
A. Establishing the objectives and processes necessary to deliver results in accordance with
Customer requirements and the organization's policies
B. Implementation of the processes
C. Monitoring and measuring the services rendered and the Service management system (SMS)
D. Taking the necessary actions to continually improve
A. Incorrect. This action is taken during the Plan phase of the methodology.
B. Incorrect. This action is taken during the Do phase of the methodology.
C. Incorrect. These are the actions taken during the Check phase.
D. Correct. This action is taken during the Act phase of the methodology.

123
5. Why is it important that reviews are conducted regularly during the Check phase of the Plan-
Do-Check-Act (PDCA) methodology?
A. To be able to allocate roles and responsibilities
B. To be able to define the objectives and requirements that are to be achieved by Service
management
C. To be able to establish the Service management policy, objectives and plans
D. To determine whether the Service management requirements are effectively implemented and
maintained
A. Incorrect. This is part of implementing the Service Management Plan.

B. Incorrect. This is part of the Service Management Plan.
C. Incorrect. This is a part of top management responsibility.
D. Correct. This is part of the methodology in the Check phase.
6. What would be a good reason for organizations to adopt ISO/IEC 20000?

A. To confirm that all of the ITIL® guidelines have been implemented
B. To demonstrate alignment to customer requirements
C. To certify their services
D. To certify their products
A. Incorrect. ITIL® offers an extensive set of guidance while ISO/IEC 20000-1 provides
requirements.
B. Correct. This is referenced within the scope of the standard.
C. Incorrect. It is the Service Management System that gets certified not the services.
D. Incorrect. It is the Service Management System that gets certified not the products.

124
7 A process is a set of interacting activities which transforms inputs into outputs. What is the
Process owner responsible for?
A. Describing the process
B. Operating the process
C. Providing process reports
D. Setting up the process
A. Correct. The process owner has the authority and responsibility for ensuring that the process, its
interfaces to other processes and integration within the SMS are documented, adhered to,
measured and improved.
B. Incorrect. Operating the process is the responsibility of the process manager.
C. Incorrect. Process reporting the responsibility of the process manager.
D. Incorrect. Setting up the process is the responsibility of the process manager under the
guidance of the process owner.
1. Which are the three key components of an IT service?

 Information Systems
 Support
 Quality Specifications
2. According to the ISO 9001:2005 standard, what is a process?

A process is an activity or a group of activities that uses resources and that is managed in
order to get the input elements transformed into outcomes.
3. What are CSFs and KPIs?

A CSF is something that must happen for a service, process or activity to be successful, while
the KPIs are used to measure the achievement or not of each CSF. CSFs are qualitative while
KPIs are quantitative elements.

125
4. Describe the main roles in a process according to the ISO/IEC 20000-2 standard.
 Process Owner: responsible for describing the process and its results.
 Process Manager: responsible for the operation of the process, the day-to-day control and
management.
 Process Personnel (teams or professionals): responsible for certain activities.
5. Which is the objective of the ISO/IEC 20000:2011 standard?

To ensure the provision of managed services according to an acceptable level of quality for
customers negotiated with them.
6. What is the main difference between Part 1 and 2 of ISO/IEC 20000:2011?

Part 1 considers “what to do” in an SMS, while Part 2 considers “what should be done”. In
other words, while Part 1 provides information about what is mandatory according to the
standard, Part 2 provides recommendations to be followed.
7. What is COBIT®?
A worldwide accepted reference framework for the IT Governance based on the standards
and best practices of the industry.
8. Which are the five steps in DMAIC methodology used in Six Sigma®? What is it based on?
Define, Measure, Analyze, Improve and Control. It is based on Deming’s PDCA cycle.

126
Chapter 2
Sample Questions:
1. IT Service Management needs to be planned to establish the objectives, processes and

procedures necessary to deliver results in accordance with the customer requirements and
the organization's policies. What should definitely be included in the Service Management
Plan?
A. The appropriate tools to support the processes
B. The interfaces between business processes
C. The procedure for dealing with emergency releases
D. The service continuity procedures
A. Correct. The tools appropriate to the processes should be mentioned in the Service
Management Plan.
B. Incorrect. The interfaces between the business processes should not be included in the Service
Management Plan.
C. Incorrect. Procedures are part of the processes and do not have to be included in the Service
Management Plan.
D. Incorrect. Procedures are part of processes and do not have to be included in the Service
Management Plan.

127
2. Top management has to provide evidence of its commitment to planning, establishing,
implementing, operating and improving its Service Management System within the context of
the organization's business and customers' requirements. What is the best way that
management can make this visible?
A. By outsourcing Change management
B. By taking disciplinary action against underperforming employees
C. By taking part in the planning of new IT services
D. Through leadership and actions
A. Incorrect. Outsourcing Change Management is irrelevant.

B. Incorrect. This is not sufficient action to ensure that commitment from top management is
visible.
C. Incorrect. Taking part in the planning of new services is insufficient action to ensure that
commitment from top management is visible.
D. Correct. Top management can make their commitment visible by showing strong leadership and
taking firm actions, establishing and communicating the scope, policy and objectives for service
management and communicating the importance of fulfilling service requirements.
3. Why is it important for service providers to maintain documents and records?

A. To be able to uniquely identify and record all Configuration Items (CIs) in the Configuration
Management Database (CMDB)
B. To ensure effective planning, operation and control of the Service Management System
(SMS)
C. To ensure employees are aware of the relevance and importance of their work activities
D. To meet the requirements (evidence) to become ISO/IEC 20000 compliant
A. Incorrect. This is part of Configuration Management.

B. Correct. Services, documents and records are needed to ensure effective planning, operation
and control of the SMS.
C. Incorrect. This is part of competence, awareness and training.
D. Incorrect. Producing documents should never be a goal solely to become ISO/IEC 20000
compliant.

128
4. Why are processes and procedures required for a service management system?
A. To be able to define service management objectives in a structured manner
B. To ensure that service issues never arise
C. To provide consistency in the output from activities
D. To satisfy the needs of major suppliers
A. Incorrect. Processes and procedures should support the service management objectives.
B. Incorrect. Service issues are a part of day to day life; processes and procedures will help to
prevent and minimize their impact.
C. Correct. A predictable approach is required.
D. Incorrect. Touch points with suppliers are needed to demonstrate end to end quality control.
5. What should be recorded as a baseline prior to implementing a plan for service improvement?
A. Backlog of changes for the service
B. Number of staff involved
C. Service or component configurations
D. Time taken to operate the process
A. Incorrect. This may be one of the measures if backlog of changes is to be reduced but there
may be other details too.
B. Incorrect. This may be one of the measures if staff numbers are to be improved but there may
be other details too.
C. Correct. The standard recommends the current configuration of affected components be
captured before implementation so to measure improvement as well as create a fall back point.
D. Incorrect. This may be one of the measures if time taken is to be improved but there may be
other details too.

129
6. Personnel should be competent on the basis of appropriate education and experience. What is a
requirement relating to competence?
A. Appropriate records of education, training, skills and experience need to be maintained
B. At least two employees should be suitably trained for each role
C. Employees should have at least a relevant bachelor's degree
D. Personnel should all have a relevant Security training according to ISO/IEC 27002
A. Correct. This is a best practice according to the standard.

B. Incorrect. This is relevant to availability of resources, however not a best practice for competency.
C. Incorrect. A bachelor's degree is not a requirement, relevant training for the role is.
D. Incorrect. This is a specific training for Information security, but not a best practice for competency in
general.
1. When ISO/IEC 20000 refers to "third parties", who are they?

It refers mainly to:
 Internal Groups
 Customers acting as suppliers
 Suppliers
2. What is the difference between document and record?

Document refers to information and its supporting medium. Record is a document stating
results achieved or providing evidence of activities performed.
3. In Resource Management, which are the minimal resources to be considered according to the
ISO/IEC 20000 standard?
 Human Resources
 Technical Resources
 Information
 Financial Resources

130
4. Which are the main responsibilities of a Process Owner?
The Process Owner is responsible for the design of the process, for ensuring adherence to
the process and for the measurement and improvement of the process.
5. List five elements to be taken into account when designing the Service Management Plan.
 The service management objectives
 Service requirements
 Resources, facilities, budgets
 Authority, responsibility and role definition
 Tools for process support
6. What kind of audits should be performed in the Monitor and Review stage of the SMS?
 Self-assessment, performed by its own department.
 Internal audit, performed by an internal department within the organization.
 Vendor audit, performed by a supplier.
 External audit, performed by an independent, external and qualified organization.

131
Chapter 3
1. In which cases it is especially adequate to apply the Design and Transition of new or changed
services process?
This process should be applied to new or changed services that are either high risk or have a
potentially major impact on services or the customer, or wherever there are interfaces with
tasks or deliverables that fall outside the scope of SMS.
2. Which is the approach that should be used when planning a modification of an existing
service that is vital for the business?
Since it is a vital process for the business, the Section 5 of the ISO/IEC 20000:2011 standard
applies. Regarding to the planning, it should be managed as a project due to the size, risks
and scope of the changes.
3. List three elements to be considered when designing new services.

 Required inputs to and outputs from each activity
 Planning, resource organization, teams organization and responsibilities
 The analysis of the possible risks

132
Chapter 4
Sample Questions:
1. How can an organization determine the effectiveness of the Service Level Management
(SLM) process?
A. By checking contracts with suppliers
B. By defining Service levels
C. By measuring customer satisfaction
D. By reporting on all incidents
A. Incorrect. Contracts with suppliers are part of the SLM process but you cannot determine the
effectiveness of the process by checking the contracts.
B. Incorrect. Defining Service levels is important to deliver IT services but they do not provide
information about the effectiveness of the SLM process.
C. Correct. Customer satisfaction is the most important aspect to determine the effectiveness
(ability to achieve desired results) of SLM process.
D. Incorrect. By reporting on all Incidents you can determine the effectiveness of Incident
Management but not the effectiveness of the SLM process.
2. Where are agreements regarding Service delivery and its relationship to Information security
management recorded?
A. In a Capacity Plan
B. In a Configuration Management Database (CMDB)
C. In a Definitive Software Library (DSL)
D. In a Service Level Agreement (SLA)
A. Incorrect. A Capacity Plan describes the (future) capacity needs.

B. Incorrect. Agreements are not recorded in the CMDB. In the CMDB all IT components,
Configuration Items (CIs) and their relationships are recorded.
C. Incorrect. The DSL only stores authorized software items.
D. Correct. Agreements with the customer are recorded in an SLA.

133
3. The Service catalogue for a network company states that LAN authorization requests will be
complete within three weeks. A manager who is a client of the network company does not
believe this is achievable and requests a report demonstrating achievement of the catalogue
statement. Which process is responsible for providing this report?
B. Change Management
A. Incorrect. Meeting customer's requests is the responsibility of SLM.

B. Incorrect. SLM is responsible of meeting customer's requirements and should issue this report.
C. Incorrect. SLM is the process responsible of meeting the customer's requirements and should
issue this report.
D. Correct. SLM is responsible of meeting the customer's requirements and of issuing related
reports. Note that Service Reporting would most like produce the report based on a request from
SLM.
4. In Continuity management various precautionary measures are taken to ensure Services are
delivered during/after a catastrophe. An example would be having an emergency electrical
power supply. Which process could also initiate this kind of measure?
B. Capacity Management
C. Change Management
D. Incident Management
A. Correct. Availability Management can take certain measures to ensure service delivery under
abnormal conditions. One of them is to initiate an emergency electrical power supply.
B. Incorrect. Capacity Management is strategically responsible for the right capacity at the right
time, not for the availability of emergency electrical power.
C. Incorrect. Change Management is responsible for installing an emergency electrical power
supply as it is a change but Change Management is not responsible for initiating these measures.
D. Incorrect. Incident Management is responsible for solving incidents as soon as possible. Taking
precautionary measures is not a task of Incident Management.

134
5. What is the intent of the Service continuity and availability management processes?
A. To ensure agreed effective communication towards Customers
B. To ensure that agreed levels of service commitments to Customers can be met in all
circumstances
C. To ensure that agreed Service continuity and availability commitments to Customers can be
met within agree targets
D. To ensure that agreed Service continuity and availability commitments to providers can be
met in all circumstances
A. Incorrect. Effective communication is not the intent of the process Service Continuity and
Availability Management. It is more relevant to Service Reporting.
B. Incorrect. Managing levels of service is the intent of the Service Level Management process.
C. Correct. This is the intent of the Service Continuity and Availability Management processes.
D. Incorrect. Service Continuity and Availability Management is a process between a supplier and
a Customer, not between a supplier and a provider.
6. What is the description of Integrity in the Information security management process?

A. Access to the data at any moment
B. Protection of the data
C. The capacity to verify the correctness of the data
D. The correctness of the data
A. Incorrect. The accessibility of data does not mean the data is correct as being meant by the
concept 'Integrity'.
B. Incorrect. The protection of the data is called 'Security'.
C. Incorrect. Not the capacity to verify the correctness of the data but the correctness itself is
called 'Integrity'.
D. Correct. The correctness of the data is called 'Integrity'.

135
7. Managing the availability of a service as part of an overall Service Management initiative is
important for efficient service delivery. What is the reason behind managing Service
Availability?
A. Most service providers have Service Level Agreements (SLAs) with their customers so
availability is guaranteed.
B. Outsourcing is now a more valid option for today's IT, so availability of a service is left to the
capability of the outsourcer.
C. Service management tools provide real-time performance information, thus managing
availability is debatable.
D. The business is more dependent on IT in order to meet corporate goals, thus achieving
expected availability is crucial.
A. Incorrect. Regardless of a formal or informal SLA, IT must deliver services to meet business
goals.
B. Incorrect. Even if services are outsourced, managing service availability is just as critical so to
meet business needs.
C. Incorrect. Just because IT can collect more data, doesn't mean it should get collected nor is it
all valuable. Managing availability requires more than real-time data input.
D. Correct. The relationship between IT and the business is more critical than ever and in order for
the business to maintain its goals, Services must be delivered to meet agreed upon service levels.

136
8. A power failure has knocked out the entire IT infrastructure. Fortunately, a Service Continuity
Plan is available. At what point should the Service Continuity Plan be invoked?
A. Immediately, as the service can no longer be used.
B. When the failure will likely extend beyond the targets defined in the Service Level Agreement
(SLA).
C. When the Incident Manager thinks this is necessary.
D. When the time within which the failure should be solved, has exceeded.
A. Incorrect. The Service Continuity Plan will be invoked after a predefined time not immediately
after the Incident takes place.
B. Correct. The Service Continuity Plan will be invoked if the targets as defined in the SLA cannot
be met.
C. Incorrect. The Service Continuity Plan will be invoked after a predefined time not at the call of
the Incident Manager.
D. Incorrect. When the time to repair a failure exceeds the agreed maximum time this is not directly
a reason to invoke the Service Continuity Plan.
9. Where would an IT service for the customer be defined?

A. In the IT framework
B. In the Service Catalogue
C. In the Service Level Agreement (SLA)
D. In the Service Report
A. Incorrect. The IT framework provides a structure for service management but would not define
the service itself.
B. Incorrect. The Service Catalogue shows all the possible services a provider can offer.
C. Correct. The SLA would define the service for the customer.
D. Incorrect. The Service Report would provide details of service performance not define the
service.

137
10. What process, other than Business relationship management, would review service
performance with the customer?
B. Service Reporting
C. Service Level Management
D. Budgeting and Accounting for Services
A. Incorrect. Availability Management will provide information for the review. Service Level
Management will review service performance (achievement of SLA targets) with the customer.
B. Incorrect. Service Reporting will create the service report that may be given to the customer.
Service Level Management will review service performance (achievement of SLA targets) with the
customer.
C. Correct. Service Level Management will review service performance (achievement of SLA
targets) with the customer.
D. Incorrect. Budgeting and Accounting for Services will provide service cost information for each
service, customer or location. This information will be presented to the customer typically by
Service Level Management. Service Level Management will review service performance
(achievement of SLA targets) with the customer.
1. What is the difference among an SLA, an OLA and an underpinning contract regarding to the
parties that establish the agreement?
 An SLA is an agreement between the customer and the service provider.
 An OLA is an agreement between an internal group of the organization and the service
provider.
 An underpinning contract exists between the service provider and an external supplier.
2. What is the objective of the Service Reporting process?

To ensure the production of agreed, timely, reliable, accurate reports to facilitate informed
decision making and effective communication.

138
3. What is availability?
The ability of a service or service component to perform its required function at an agreed
instant or over an agreed period of time. Availability is normally expressed as a ratio or
percentage of the time that the service or service component is actually available for use by
the customer to the agreed time that the service should be available.
4. What are the three key elements to take into consideration in the Budgeting and Accounting
for Services process?
Budgeting, Accounting and Charging, although the latter is not obligatory according to the
ISO/IEC 20000-1 standard.
5. List four characteristics to take into account in the Capacity Plan.

 Current and forecast service usage, ideally including recommendations regarding
opportunities to influence the demand for capacity
 The impact on capacity and performance of agreed requirements for availability, service
continuity and service targets
 Potential impact of new technologies on capacity and performance
Potential impact on statutory, regulatory, contractual and organizational requirements
6. What is confidentiality within the Information Security Management process?

The security principle that requires that only authorized personnel have access to a particular
set of data.
7. What is the objective of the Information Security Management process?

To ensure that security controls are in place to protect information assets and that information
security requirements are incorporated into the design and transition of new or changed
services.

139
Chapter 5
Sample Questions:
1. What is a responsibility of the Service provider with regard to Supplier Management as defined in
ISO/IEC 20000-1?
A. To ensure that a process exists for the procurement of suppliers
B. To ensure that contracts with suppliers are aligned with SLAs of the business
C. To ensure that subcontracted suppliers meet contractual requirements in all circumstances
D. To ensure that supplier processes and procedures are defined
A. Incorrect. Selection and procurement are outside the scope of the standard.
B. Correct. A focus on end-to-end Service Management is essential.
C. Incorrect. This is the responsibility of the Lead Suppliers.
D. Incorrect. The Service provider does not define the supplier processes and procedures.
2. What document is directly supported by the supplier contract?

A. Service Level Agreement (SLA)
B. Operational Level Agreement (OLA)
C. Service Management Plan
D. Service cost model
A. Correct. All supplier contracts should support and align with the SLAs between the service provider
and customer.
B. Incorrect. Just as the supplier contract supports the SLA, so should the OLA
C. Incorrect. The Service Management plan structures the planning and deployment of the service
management system, thus guiding the activities of IT organization. It will not directly support a supplier
contract.
D. Incorrect. A service cost model would include the cost of supplier services. The contract directly
supports the SLA which will drive the cost model based on requirements.

140
3. The relationship processes describe the relationships with the business and with the
suppliers. What do the relationship processes ensure?
A. That business requirements and outcomes are the primary driver in managing the business
and supplier relationship.
B. That the business and suppliers are directly informed of major incidents.
C. That the service levels for all services are consistent in the supply chain.
D. That there is a frequent contact between the suppliers and the business to resolve issues.
A. Correct. The Relationship processes cover Supplier management and Business relationship
management, and together they should ensure that the business needs of the Customer are
understood and remain the driver for all actions.
B. Incorrect. Dealing with major incidents should include communication across all areas involved,
including top management as well as the customers affected. However, this is managed within the
Incident and Service Request Management process and is the responsibility of the designated
individual responsible managing major incidents. It is therefore outside of the scope of the
relationship processes.
C. Incorrect. It is not necessary for the services levels to be consistent across all suppliers, and in
fact it is unlikely that this will be the case. It is however necessary that supplier service levels are
aligned with those of the business, so that the Service level agreements (SLAs) agreed with the
customer can be met.
D. Incorrect. The business should not have direct contact with the suppliers. The service provider
is responsible for managing the suppliers to ensure the quality of the services provided to the
business.

141
1. List the activities of the Business Relationship Management process

1) Identify Interested parties
2) Identify representatives
3) Definition of communication mechanisms
4) Reviews
5) Customer satisfaction survey
2. What is called "service complaint"?

Service compliant is a formal disagreement with the service delivered. To be a justified claim,
the disagreement should be related to what is agreed in the Service Level Agreement (SLA).
3. What is a “premature contract termination”?

A contract termination before the scheduled date. There may be many situations that could
cause a premature termination. Those causes, as well as actions to be taken, should be
agreed in the contract.
4. What is the objective of Supplier Management?

Managing suppliers to ensure the provision of seamless, quality services.

142
Chapter 6
Sample Questions:
1. When a service outage or other failure is reported, in what order will the processes be
executed?
A. Configuration Management, Incident Management, Change Management, Release
Management
B. Incident Management, Change Management, Problem Management, Release Management
C. Incident Management, Problem Management, Change Management, Release Management
D. Problem Management, Configuration Management, Release Management, Change
Management
A. Incorrect. The entry of a service failure will not begin with Configuration management, but will be
formally logged within the Incident management process.
B. Incorrect. Finding root cause via Problem management will typically occur prior to submitting a
Change.
C. Correct. This is the order of the processes.
D. Incorrect. Change management will assess and authorize any Change prior to the
implementation via Release management.
2. Which process ensures that an interruption in the provision of services is diagnosed as

quickly as possible?
A. Change Management
B. Incident and Service Request Management
A. Incorrect. Change Management will not diagnose a failure.

B. Correct. Incident and Service Request Management is responsible of restoring the interrupted
services as quickly as possible.
C. Incorrect. Problem Management is responsible of finding the cause of one or more incidents to
avoid future interruptions.
D. Incorrect. SLM does not diagnose or resolve incidents.

143
3. What is the intent of Incident and Service Request Management?
A. To communicate with customers as to future service disruptions
B. To match new incidents to known errors
C. To restore services as quickly as possible
D. To track problems into the known error database (KEDB)
A. Incorrect. Communication is an important activity performed by the Service Desk to support

Incident Management but is not its intent.
B. Incorrect. Incident matching is not the intent of Incident management. It is part of an Incident
Management activity.
C. Correct. This is the intent of Incident and Service Request Management.
D. Incorrect. This is a responsibility of Problem Management.
1. What is priority and which parameters it is based on?

Priority is the relative importance of an incident, problem or change. It is based on impact
(effect of an incident, problem or change on business processes) and urgency (how long it will
be until an incident, problem or change has a significant impact on the business).
2. List three elements that should be taken into account in a major incident procedure.
 What constitutes a major incident
 Who has the authority to declare a major incident and how it will be declared
 Who should coordinate and control activities and who should be involved
3. What is a workaround?
Temporary action carried out for reducing or eliminating the impact of an incident or problem
for which a full resolution is not yet available.

144
Chapter 7
Sample questions:
1. What is the recommendation with regard to the implementation of an emergency Change?

A. Only the senior manager should authorize emergency changes.
B. The Change process should be completely bypassed.
C. There is a separate process for emergency changes.
D. Where possible the change process should be followed.
A. Incorrect. The authorization of the emergency Change is part of the process and there is no
recommendation about who does this.
B. Incorrect. It is not recommended to bypass the whole process although some activities may be
bypassed and covered later.
C. Incorrect. There is a requirement for a separate policy for emergency Changes but not a
recommendation for a separate process.
D. Correct. It is recommended that the Change process should be followed where possible
although any activities bypassed should be undertaken as soon as possible.
2. Which question cannot be answered directly from the configuration management database
(CMDB)?
A. What incidents or problems are related to this workstation?
B. Which Configuration Items (CIs) does a specific service consist of?
C. Which members of staff of department X have moved to department Y?
D. Which Requests for Change (RFCs) have been submitted for a specific server?
A. Incorrect. Incidents and Problems are related to CIs and are registered in the CMDB.
B. Incorrect. Relationships between CIs are registered in the CMDB.
C. Correct. Personnel moves would be tracked by Human Resources and only current office
location information would be directly part of the CMDB.
D. Incorrect. An RFC is registered in the CMDB. When the Change is implemented the CMDB will
be updated.

145
3. Which aspects of a Request for change (RFC) shall be assessed?
A. Business benefits, risk and impact
B. Risk, emergency level and classification
C. Risk, impact and effect on the incident management process
D. Risk, scope and impact on supplier relationships
A. Correct. An RFC shall be assessed on risk, impact and benefits.

B. Incorrect. Emergency is a type of classification. Classification is not assessed, but assigned to a
RFC.
C. Incorrect. Effect on the Incident Management process shall not be assessed.
D. Incorrect. Impact on supplier relationships shall not be assessed.
4. Targets for resolution should be based on priority. When scheduling an authorized change
which will eliminate a known error, what should not be taken into account?
A. The available skills
B. The competing requirements for resources
C. The effort/cost to provide the method of resolution
D. The number of previously reported Incidents for the particular Configuration Item (CI)
A. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.

B. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.
C. Incorrect. This is a relevant aspect for scheduling Incident or Problem resolution.
D. Correct. This is not relevant when scheduling resolution. It is relevant when identifying
Problems.

146
5. Which process is responsible for recording the logical and physical relationships between the
various components of the IT infrastructure?
A. Availability management
D. Incident management
A. Incorrect. Configuration Management is responsible of recording the components of the

infrastructure and their relationships.
B. Correct. This is the primary intent of Configuration Management.
C. Incorrect. Release Management is not responsible for the recording of the components of the IT
infrastructure.
D. Incorrect. Incident Management is not responsible for the recording of the components of the IT
infrastructure.
6. When implementing a new version of an application both Change management and Release
management are involved. What is the responsibility of the Change management process
here?
A. Change management has the implementation and installation task in this phase.
B. Change management plays a coordinating role in this phase.
C. Change management must check whether the new application functions properly.
D. Change Management draws up the Request for change (RFC) in this phase.
A. Incorrect. This activity belongs to Release Management Process.

B. Correct. Change Management process plans, coordinates and approves all activities in this
phase.
C. Incorrect. This is a Release Management task.
D. Incorrect. An RFC would already be in place for an application to reach the implementation
stage.

147
7. New or changed services need to be accepted before being implemented into the live
environment. What shall be done after a new or changed service has been implemented?
A. A Post implementation review (PIR) is held comparing actual outcomes against those
planned.
B. An approach needs to be defined for interfacing to projects that are creating or modifying
services.
C. Nothing additional. The new or changed service goes into Business As Usual and will be
managed as a normal service.
D. The manner in which the Change shall be reversed or remedied, if unsuccessful, needs to be
defined.
A. Correct. This clause is part of the standard.

B. Incorrect. This is part of the Service Management Plan, and not relevant after new or changed
services have been implemented.
C. Incorrect. According to the standard a PIR is necessary. Doing nothing additionally is not an
option.
D. Incorrect. This clause is part of Change management. And this should already be in place
or defined before implementing.
8. What does a Release consist of?

A. A collection of one or more new or changed Configuration items (CIs) deployed into the live
environment
B. A change that consists of both hardware and software
C. A change of several CIs that are merged due to their size
D. A change of several CIs that are merged due to their minor impact
A. Correct. A Release is a collection of one or more new or changed CIs deployed into the live
environment.
B. Incorrect. A Release can also exist of only software or hardware.
C. Incorrect. The size of the Release is not relevant.
D. Incorrect. The impact the Release is not relevant.

148
9. One of the activities required for effective planning, coordination and evaluation of requested
changes is assessing the impact and required resources. Which process or function is
responsible for this activity?
A. Change management
D. Service desk
A. Correct.
B. Incorrect.
C. Incorrect.
D. Incorrect.
10. In Change management, a number of activities take place between the acceptance of a
Request for Change (RFC) and the completion of the Change. Which activity is performed
first after acceptance of an RFC?
A. Building and testing the Change
B. Determining the urgency of the Change
C. Implementing the Change
D. Scheduling the Change
A. Incorrect. Building and testing the Change will take place after classification has been done. Part
of classification is to determine the urgency.
B. Correct. The first step after the acceptance is to determine the urgency of the Change.
C. Incorrect. Implementing the Change will take place after building, testing and scheduling has
been done.
D. Incorrect. Scheduling the Change will take place after classification has been done. Part of
classification is to determine the urgency.

149
11. What must be included in the Release and Deployment Management procedures according
to ISO/IEC 20000?
A. The authorization and implementation of Emergency changes
B. The investigation and prevention of Information security incidents
C. The recording of all reported Incidents
D. Procedures to reverse an unsuccessful deployment
A. Incorrect. This is part of the Change management procedures.

B. Incorrect. This is part of the Information security management procedures.
C. Incorrect. This is part of the Incident management procedures.
D. Correct. According to the standard this is a requirement.
1. What is a CI?
CI stands for Configuration Item. According to the standard ISO/IEC 20000:2011, a CI is an
element that needs to be controlled in order to deliver an IT service.
2. Describe three types of CI

 Services as listed in the catalogue of services and their related information and documents
(SLAs, agreements, contracts, service requirements, specifications of service design)
 Service components, including hardware, software and licenses, tools, applications,
documentation, supporting services
 SMS documentation (policies, process documentation, procedures, plans)
3. What is a Standard Change?

A pre-authorized change that is low risk, relatively common and follows a procedure.

150
4. Give an example of a change that should be managed through the design and transition of
new or changed services process.
Changes for the removal of a service and changes for the transfer of a service from the
service provider to another party (the other party can be the customer or a supplier).
5. Which is the object of Release and Deployment Management?

To ensure that all releases are effectively deployed into the live environment so that the
integrity of hardware, software and service components is maintained.
6. What are the acceptance criteria within Release and Deployment Management?
Conditions set to validate a release before being deployed into the live environment.
7. The procedure for emergency releases must be closely related to a procedure of another
process. Which one?
The procedure for emergency releases must be closely related to the process for emergency
changes of the Change Management process.

151

EXIN IT Service Management Foundation Based On ISO - IEC 20000 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EXIN IT Service Management Foundation Based On ISO - IEC 20000 PDF

Uploaded by

Copyright:

Available Formats

Workbook

Trade Mark Acknowledgement Statements

Workbook EXIN ITSM based on ISO/IEC 20000

Title: EXIN IT Service Management Foundation based on ISO/IEC 20000 –

Author: Victoriano Gómez Garrido (ITeratum)

Review: María de la Vega González (Independent Consultant) Carlos Durán Muñoz

Editor: Victoriano Gómez Garrido (ITeratum)

A publication of: ITeratum, S.L. and EXIN

ISBN: 978 90 8753 762 3

Workbook EXIN ITSM based on ISO/IEC 20000

As IT professionals, we are obliged to be in a continuous process of learning and adaptation to new

Workbook EXIN ITSM based on ISO/IEC 20000

Workbook EXIN ITSM based on ISO/IEC 20000

Workbook EXIN ITSM based on ISO/IEC 20000

Figure 1.1: Processes in ISO/IEC 20000 (Source: ISO/IEC 20000-2)

Workbook EXIN ITSM based on ISO/IEC 20000

Workbook EXIN ITSM based on ISO/IEC 20000

1.1 Understand the core concepts to IT Service Management (10%)

1.2 Understand the core concepts surrounding quality frameworks (5%)

Workbook EXIN ITSM based on ISO/IEC 20000

1.1 The importance of quality in IT services

1.1.1 What is quality?

Figure 1.2: The quality concept (Source: ITeratum)

Workbook EXIN ITSM based on ISO/IEC 20000

In 1987 the International

Figure 1.3: The quality evolution (Source: ITeratum)

Workbook EXIN ITSM based on ISO/IEC 20000

In the case of an IT service provider, such as the IT department of an organization, quality

1. Customer focus An organization depends on its customers, therefore, you need to

5. System approach to It is important to identify and to manage interrelated processes as

Workbook EXIN ITSM based on ISO/IEC 20000

Workbook EXIN ITSM based on ISO/IEC 20000

1.1.4.1 What is a Service?

Workbook EXIN ITSM based on ISO/IEC 20000

1.1.4.2 IT Service Components

Support: It is necessary to enable a support to provide

Quality specifications: Since services have to be provided

Workbook EXIN ITSM based on ISO/IEC 20000

Figure 1.6: The quality perception (Source: ITeratum)

Workbook EXIN ITSM based on ISO/IEC 20000

To have a process structure clearly described it must be established:

 What has to be done.

Usually, the outputs of one or

Figure 1.7: Process components (Source: ITeratum)

The implementation of a process-oriented approach in the organization provides a number of

 Improved and predictable results.

Workbook EXIN ITSM based on ISO/IEC 20000

1.1.5.2 Processes roles

According to ISO/IEC 20000-2, the main roles in the process are:

Workbook EXIN ITSM based on ISO/IEC 20000

According to ISO/IEC 20000:2011, Service Management is defined as:

 Business processes are supported by IT

Figure 1.8: ITSM relationships (Source: EXIN materials)

Workbook EXIN ITSM based on ISO/IEC 20000

Implementing IT Service Management in the organization brings a number of important benefits,

Benefits Risks and Difficulties

Workbook EXIN ITSM based on ISO/IEC 20000

Workbook EXIN ITSM based on ISO/IEC 20000

William Edwards Deming (1900-1993) was an

Steps of PDCA methodology ("Plan-Do-Check-

Figure 1.9: The Deming Cycle (Source:

Workbook EXIN ITSM based on ISO/IEC 20000

1.2.1 The ISO/IEC 20000 standard