ISO 20000

A Look into the Future

 Question for the Crowd

• How many in the audience are auditors and how

many are the audited?
Why are we here today?

Answer: Because Gartner said so

“By 2008, ITIL Compliance will be a buying criteria

in 75% of relevant IT sourcing decisions.”
Gartner Inc, January 5, 2006

There is only one way to achieve ITIL Compliance:

ISO 20000 Certification
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Question for the Crowd

• How many of you have been part of an ITIL-based

process improvement effort of audited the results
of one?
ITIL is only part of the answer
ITIL = IT Infrastructure Library

….. and all within 45 minutes so I’ll

have to ask you to listen quickly
IT Governance Audit Models
Triumph of the Quality Management Frameworks

COSO Sarbanes-
Oxley
US Securities &
Exchange
Commission

CobIT

Quality System
Project Mgmt.

IT Planning
IT Security
App Dev
ITIL
ISO 9000
ITSM

ISO 20000 Six Sigma

TSO
CMMi
IS Strategy
IT OPERATIONS
ASL ISO 17799 PRINCE2
SDLC ISO 27001 PMBOK
What ITIL is . . .
A Rich history, frankly
• A cohesive framework of well-defined IT best practices, drawn from the
public and private sectors, that represents an ‘open’ methodology and
defines processes, roles, workflows, and metrics
• Provides organizations with a proven, practical, and integrated method to
assess, build and continuously improve their service-oriented IT
environments
• Establishes basis for driving IT performance and quality improvements
• “Owned” by the UK Office of Government Commerce (OGC), who protects
the core ITIL standard while enabling maximum contribution from users
and experts worldwide
• Just issued version 3 (May 07) which contains sweeping changes
• Implemented by 20%+ of the $1 billion+ U.S. firms and even higher rates of
adoption in Europe
• Supported by a comprehensive personal qualification scheme, accredited
training organizations, and implementation and assessment tools
• Integrates with other frameworks such as CMMI, CobiT or SEI and quality
initiatives such as Six Sigma, ABC, and Benchmarking
But on the down side
What irks IT Managers about ITIL

• ITIL Is not a standard against which

organizations, vendors, or service providers can
be certified
• ITIL is not Proscriptive (i.e. tell you what to do)
– does not contain detailed process maps
– does not provide work instructions
– does not explain how to get from a current state of
‘brokenness’ to one of operational maturity
• ITIL Prescribes need for process improvement
but does not specify preferred vendors or tools
or approaches
• ITIL implementations typically require 3rd party
Business Justification/ROI is difficult
This is the #1 reason ITIL Projects are not launched
• Difficult to benchmark IT processes vis-à-vis other
organizations
• Difficult to quantify ITIL benefits
• Most organizations lack meaningful ‘baselines’ for
process metrics
• Tools and process impacts overlap - tendency to
‘double count’ savings
• ITIL impacts many qualitative business elements (e.g.,
customer satisfaction, culture, etc.) as well
• Depth and breadth of an implementation is specific to
the priorities and maturity levels of each process
ITIL Benefits
Just a short list – there are others
• Establishes cost-effective IT services for all
stakeholders
• Aligns IT Services with defined business needs
• Ensures better communication between IT and the
business through common language
• Improves the quality and reduces the long-term cost
of provisioning IT services
• Creates a solid foundation for continuous
improvement
• Improves IT’s ability to absorb a high rate of change
• Increases IT organization’s transparency and
accountability
The ITIL Jigsaw (v2)
Lots of books covering every possible IT topic
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Questions for the Crowd

• Who has audited or been audited on their IT Service

Management practices?
What is IT Service Management?
The Beating Heart of IT

• Top-down, business driven approach to management

that addresses IT’s strategic business value
• Ensures IT Services are aligned to business needs and of
improving value
• An enterprise IT service approach, implemented with
services and software, that enables:
– Breakthrough reductions in cost structures
– Availability of critical business services
– Verifiable governance standards established by internal and
external stakeholders
• Designed to focus on the people, processes and
technology issues faced by the IT support organization
ITIL’s ITSM ‘books’
The Critical Mass of ITIL Adoption

Planning to Implement Service Management T

T h
h e
e
Service T
B The Support ICT e
u Business Infrastructure c
s Perspective Management h
Service
i n
Delivery o
n
e Security l
s Management o
s Applications Management g
y
The ITIL ITSM Process Suite
A Whole new industry marketspace
• Ongoing support for users
of IT Services (more
operational and tactical)
• Defines quality services for
customers and the ability
within which to deliver
them (more strategic)

Service Support Service Delivery

Incident Management Service Level Management

Problem Management Availability Management

Change Management Capacity Management

Release Management IT Service Continuity Management

Financial Management for IT

Configuration Management
Services

ITIL Functions

Service Desk
Why is ITSM a ‘now’ topic?
The train has left this station
• Organizations are increasingly dependent on IT service
provision
• Higher visibility
• More exacting user demands
• Increased complexity of the infrastructure
• Chargebacks for IT services
• Competition for customers
• Threat of outsourcing targeted IT services as well as
the entire operation
Typical goals of an ITSM project?
The tyranny of customer expectations

• IT Services will meet Business requirements

• Cost-efficient, consistent, reliable, effective, and
transparent IT services
• Improved relationships
• Expectations met or exceeded
• Gain some sort of competitive edge
• Increase market share or demonstrably improve
operating margins
• Improve dramatically IT-business communications
ITSM Project Approach
Getting the effort going
What is the Program and
Vision? Project
Governance

Where are Maturity

we now? Assessments

Keep
the momentum Where do we Process
going want to be? Design

How do we get Process

where we Improvement
want to be? & Baseline

How do we Process
know we have Metrics
arrived?
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Question for the Crowd

• How many in the audience have used ISO 2000 in

an audit of their own, or have been audited by ISO
20000 certified staff?
ISO 20000 Fast Facts
Just what the world needed - another auditing standard
• Issued internationally in December 2005 (derived from BSI
15000)
• A set of “controls” against which an organization can be
assessed for effective ITSM process implementation
• A formal definition of the requirements for an organization
to deliver managed IT services of an acceptable quality
• Promotes adoption of a systematic approach to IT process
• Establishes the means to measure internal IT organizations
vis-à-vis 3rd-party suppliers
• Enables external benchmarking of IT Service provisioning
• Provides a independently verifiable means to measure IT-
based process implementations (e.g. ITIL, ITSM, MOF)
• Costs $800
 ISO 20000 High-Level Breakdown
Something for everyone
• Part 1: Specification for ITSM
– Provides the requirements for ITSM organizations to gain certification
– Relevant to those initiating, implementing or maintaining ITSM projects
– Senior Management is accountable for ensuring all these requirements
are met
• Part 2: Code of Practice for ITSM
– Provides guidance to internal auditors
– Assists service providers planning service improvements
– Helps organizations prepare for audits against ISO 20000
• Part 3: Scope & Applicability
– Not yet formally published (agreement on content expected end of 2007)
– Advice on ITSM scoping and planning
– Includes scope statements for Certification audits
– Suggestions on applicability (e.g. expanding audit to include
communications or more technology enabled services than ITSM)
ISO 20000 Structure
Table of Contents
• Introduction and overview
• Scope, terms and definitions
• Requirements for a management system
• Planning and implementing ITSM
• Planning and implementing new or changed IT
services
• Process groupings
 ISO 20000 Processes New Category
altogether
Close but not Quite
Management Responsibility, Documentation
Management Systems Requirements, Competences, Awareness & Training

Plan, Implement, Monitor, Improve

Planning & Implementation (Plan…. Do…. Check….. Act……)

Planning New Services Planning & Implementing New or Changed Services

Service Delivery Processes

Capacity Management Information Security
Service Level Management
Service Continuity & Management
Service Reporting
Availability Management Budgeting & Accounting for
IT Services

Control Processes
Configuration Management
New Change Management
process
Release Processes Resolution Processes Relationship Processes
Business Relationship
Incident Management
Release Management Management
Problem Management
Supplier Management
 ISO 20000 Framework
COBIT has a cube, so why not ISO 20000?

Not to be
confused with PLANNING NEW SERVICES
COBIT controls
PLANNING & IMPLEMENTING

MANAGEMENT SYSTEM

t
en
em
ov
pr
Im
us
SERVICE DELIVERY PROCESSES

uo
in
nt
Co
CONTROL
PROCESSES

RELEASE RESOLUTION RELATIONSHIP

PROCESSES PROCESSES PROCESSES
‘Shall’ Statements
Showing compliance with all 217 requirements
Examples of ‘Shall’ Requirements
The Challenge of proving compliance of each one
 Unique Benefits of ISO 20000
What it has that ITIL doesn’t
• More proscriptive
– Specified 400+ areas of guidance (i.e. Should statements) that
indicate breadth and depth of expertise
• Includes requirements for managing suppliers and other 3rd
party service providers
• Depicts the IT Service Reporting process
• Impartial and verifiable external method of assessment
• Provides a benchmark with best practices
• Positions organization to win business from suppliers that
require it
• Serves as a mechanism for governments to specify buying
criteria
Why Implement ISO 20000?
Reasonable reasons, but are they compelling?

• Lays out a consistent approach by all service providers in

a supply chain
• Basic business requirement for an organization (as was
ISO 9000)
• Provides an auditable method to assess IT Service quality
and conformance
• Assists organizations to enforce process compliance
• Improves Business unit confidence, customer satisfaction,
and ultimately IT department morale
• Provides clear evidence that ITSM quality is taken
seriously
• Win businesses from government or large organizations
The Future of ISO 20000
Nothing in here about improving adoption!
Agenda

• What is ITIL?
• What is IT Service
Management?
• What is ISO 20000?
• Alignment of ITIL and
ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Question for the Crowd
• How many of you have tried to integrate two
different but overlapping frameworks?
– Six Sigma and CMMI
– COBIT and ITIL
– Lean Manufacturing and ISO 9000/1
– Balanced Scorecard and COSO
– SarbOx and FSEIC
– ISO 17799 and SAS-70
Intersection of ISO 20000 and ITIL
An emerging picture

• ITIL has been adopted by many organizations as a

proven methodology for managing their IT
services but it is not a standard
• ISO 20000 Certification provides proof through
audit that best practice has been deployed
through an independent, external, evaluation
• Soooo…
– ISO 20000 as sets the process marks for which an ITIL
implementation should aim
Impact of ITIL’s v3 Refresh
Things are going to get much more interesting

• Lifecycle approach is no
ingrained in the framework
• Standards Alignment will
come as part of the
package
• Confusion will reign for
some time
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Question for the Crowd

• How do you think ISO 20000 compares to ISO

17799 (Security) or ISO 9000 (Quality) in terms of:
– Scope?
– Clarity?
– Applicability?
– Market Demand?
ISO 20000 Auditor Relationships
All 3 communities are represented

You are
here
Certification Scope
Auditing Mother’s Milk
• Aimed at organizations providing a ITSM operations (internal or
external)
• Certification IS NOT appropriate for organizations which provide
best practice advice instead, consultancies are supposed to give
advice in preparation for an independent audit)
• Certification IS NOT possible for products such as ITSM tools, per se
• Certification IS important to organizations:
– where quality IT services are essential (e.g. finacial and health
services, utilities, government providers, heavily regulated entities)
– that provide managed services and outsourced IT services
• For those not seeking certification – use ISO 20000 as a guide
• Process areas already certified from other standards (e.g. ISO
9000) are not usually required to be re-audited – as long as scope is
similar
• Can be costly (i.e. be careful what you ask for….)
 ISO 20000 Education program
Are you an ACP, and RCB, or a auditing target?

• Accredited Course Providers (ACP)

– Appointed by itSMF
– Must be ITIL Managers-certified with relevant background experience
– Must follow itSMF established guidelines regarding course content and
structure
• Registered Certified Body (RCB)
– Appointed by itSMF as qualified to perform ISO 20000 audits
– Staff will have taken and passed the ISO 20000 Auditors Exam
– Must be recognized by applicable National Accreditation Body
– Totally independent from any consultancy services
– Their auditors have been specifically trained in ITSM
Getting Audited
Dipping the frog in the boiling water
• Create program governance
(e.g. SIP)
• Conduct initial self-
assessment
• Implement self-
improvements
• Choose an RCB
• Agree on audit terms of
reference and scope
• Agree on dates, time-scales,
locations, etc
• Conduct on-site audit of
staff and process compliance
• Consider off-site possibilities
• Present audit findings
• Present ISO 20000
Certificate
Eligibility criteria
Convincing the auditor you are in the driver’s seat
• An organization must be able to
demonstrate it has “Management
Control” of each of the ISO 20000
processes
• So What is “Management Control”?
– knowledge and control of the inputs
– knowledge, use and interpretation of the
outputs
– definition and measurement of metrics
– demonstration of objective evidence of
accountability for process functionality
Post Certification Process
After the findings are found

• Certification is valid for three years

• Annual surveillance audits are required
• Internal audits are recommended
• Full re-audit will be carried out on the 3rd anniversary of
Certification award
Agenda

• What is ITIL?
• What is IT Service Management?
• What is ISO 20000?
• Alignment of ITIL and ISO 20000
• ISO 20000 Certification
• Summary
• Questions
 Question for the Crowd

• Volunteers please…Please share one important fact

about:
– ITIL
– ITSM
– ISO 20000
– Certification for ISO 20000
Summary
ISO 2000 is coming in 2008 – be ready

• Business requirement and customer satisfaction are

primary considerations
• IT Services are a vital and core part of the business
• Organizational culture is important and has to be right
• Business is now thinking of IT as an end-to-end service
• ITSM is no longer optional
• Quality process-driven approaches and professional staff
deliver value
• Professional qualifications and certifications are
becoming increasingly important
• ITIL and ISO 20000 provide a solid framework for
developing an appropriate solution
ISO 20000 Resource Sites
Lots of content but fragmented and not free
• ISO 20000 Certification Site - www.isoiec20000certification.com
• IT Service Management Forum - www.itsmf.com
• Institute of IT Service Management - www.iosm.com
• OGC Home Site - www.ogc.gov.uk
• ISO 20000 toolkit - http://www.20000-toolkit.com/
• ISO 20000 Central - http://20000.fwtk.org/index.htm
• Best Practices Management - www.get-best-practice.biz
ISO 20000 Related Articles
A Relative dearth of thought leadership
• Achieving ISO 20000 certification
– http://www.nccmembership.co.uk/pooled/articles/BF_WEBART/view.asp?Q=BF_WEBART_212190

• ISO 20000 and what it means to you

– http://www.itsmwatch.com/itil/article.php/11700_3642116_2

• Defining success for ISO 20000 (CMDB)

– http://en.itsmportal.net/en/node/14659

• Why ISO 20000 puts ITIL in further peril

– http://www.itsm.mobi/2006/12/why-iso-20000-puts-itil-in-further.html

• Get ready for ISO 20000 Certification

– http://doingityourself.blogspot.com/2006/03/get-ready-for-iso-20000-certification.html
Questions?