ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM CONTINUAL IMPROVEMENT (10.2.) ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM ABOUT THE ISO/IEC 20000 SERIES The ISO/IEC 20000 series • ISO/IEC 20000-1:2018 Requirements for a SMS (Service Management System) • ISO/IEC 20000-2:2019 Guidance on the application of Service Management Systems • ISO/IEC 20000-3:2019 Guidance on scope definition and applicability of ISO/IEC 20000-1:2018 • ISO/IEC 20000-6:2017 Requirements of certification bodies • ISO/IEC TR 20000-7:2019 Guidance on the integration and correlation between ISO/IEC 20000-1:2018 to ISO 9001:2015 and ISO/IEC 27001:2013 • ISO/IEC 20000-11 (relationship with ITIL); ISO/IEC 20000-12 (relationship with CMMI-SVC) • … www.iso.org ISO/IEC 20000-1:2018 • Third edition of ISO/IEC 20000-1 (previous in 2011) • All requirements are mandatory • Applicable to any organization regardless of type, size or nature of services delivered The structure of ISO/IEC 20000-1:2018 1 1.1. 1.2. 2. 3. 3.1. 3.2. 4. 4.1. 4.2. 4.3. 4.4. 5. 5.1. 5.2. 5.2.1. 5.2.2. 5.3. 6. 6.1. 6.2. 6.2.1. 6.2.2. 6.3. 7. 7.1. 7.2. 7.3. 7.4. 7.5. 7.5.1. 7.5.2. 7.5.3. 7.5.4 7.6. Scope General Application Normative references Terms and definitions Terms specific to the management system standards Terms specific to service management Context of the organization Understanding the organization and its context Understanding the needs and expectations of interested parties Determining the scope of the service management system Service management system Leadership Leadership and commitment Policy Establishing the service management policy Communicating the service management policy Organizational roles, responsibilities and authorities Planning Actions to address risks and opportunities Service management objectives and planning to achieve them Establish objectives Plan to achieve objectives Plan the service management system Support of the service management system Resources Competence Awareness Communication Documented information General Creating and updating documented information Control of documented information Service management system documented information Knowledge 8. 8.1. 8.2. 8.2.1. 8.2.2. 8.2.3. 8.2.4. 8.2.5. 8.2.6. 8.3. 8.3.1. 8.3.2. 8.3.3. 8.3.4. 8.4. 8.4.1. 8.4.2. 8.4.3. 8.5. 8.5.1. 8.5.2. 8.5.3. 8.6. 8.6.1. 8.6.2. 8.6.3. 8.7. 8.7.1. 8.7.2. 8.7.3. 9. 9.1. 9.2. 9.3. 9.4. 10. 10.1. 10.2. Operation of the service management system Operational planning and control Service portfolio Service delivery Plan the services Control of parties involved in the service lifecycle Service catalogue management Asset management Configuration management Relationship and agreement General Business relationship management Service level management Supplier management Supply and demand Budgeting and accounting for services Demand management Capacity management Service design, build and transition Change management Serice design and transition Release and deployment management Resolution and fulfilment Incident management Service request management Problem management Service assurance Service availability management Service continuity management Information security management Performance evaluation Monitoring, measurment, analysis and evaluation Internal audit Management review Service reporting Improvement Nonconformity and corrective action Continual improvement ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM THE SERVICE MANAGEMENT SYSTEM (SMS) Service management system Management System = set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives Service Management System (SMS) = management system that is used to direct and control the service management activities of an organization Service management system ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM U N D E R S TA N D I N G T H E O R G A N I Z AT I O N A N D I T S C O N T E X T ( 4 .1 . ) The context (internal and external issues + interested parties + scope of the SMS) • Internal issues: structure and governance, people, resources and capabilities, organizational culture, internal customers (if any)… • External issues: legislation, external customers, political and economic influences, market and competition, external situations and events … The identification of external and internal issues is reviewed periodically ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM U N D E R S TA N D I N G T H E N E E D S A N D E X P E C TAT I O N S O F I N T E R E S T E D PARTIES (4.2) Identification of interested parties and their requirements Interested parties (stakeholders) – persons or organizations that can affect or can be affected by the decisions of activities of the service provider (customers, personnel, suppliers, regulators, competitors, shareholders, etc) Requirements of interested parties can be documented (in contracts, laws, regulations, etc), or implied. ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM THE SCOPE OF THE SMS (4.3.) Scope of the SMS ISO/IEC 20000-3 – Guidance on scope definition and applicability Scope = the services and types of services offered to customers and the name of the organization managing and delivering the services (what is covered by the SMS) The scope can include all services and locations, or not. Financial aspects are not relevant for scope definition. Scope of the SMS Minimum parameters for scope definition: • Name of the organization • Service(s) delivered Optional parameters for scope definition: • Location(s) • Customer(s) “The SMS covers organization ABC that delivers the following services .... from location(s) .... to customer X” Scope of the SMS When other parties are involved: - the organization is responsible and controls the activities they provide - accountability for the fulfilment of the requirements in ISO/IEC 20000-1 remains with the organization - the scope does not include the names of other parties. The scope shall: • Be documented • Be concise • Clearly identify any exclusions • Understandable for someone not familiar with the organization CONTEXT OF THE ORGANIZATION (4) - Determine internal and external issues - Identify interested parties and their requirements - Establish and document the scope of the SMS ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM LEADERSHIP AND COMMITMENT ( 5 .1 . ) Leadership and commitment The top management shall demonstrate leadership and commitment with respect to the SMS - ESTABLISH POLICY AND OBJECTIVES - ENSURE A SERVICE MANAGEMENT PLAN EXISTS - ASSIGN APPROPRIATE LEVELS OF AUTHORITY - DETERMINE WHAT REPRESENTS VALUE - ENSURE THERE IS CONTROL OF OTHER PARTIES - ENSURE INTEGRATEION WITH BUSINESS PROCESSES - MAKE RESOURCES AVAILABLE - COMMUNICTE - FACILITATE AND PROMOTE CONTINUAL IMPROVEMENT - DIRECT AND SUPPORT OTHERS TO CONTRIBUTE TO THE SMS AND TO DEMONSTRATE THEIR LEADERSHIP ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM THE SERVICE MANAGEMENT POLICY (5.2.) Service management policy The SM policy includes: - a commitment to satisfy applicable requirements - a commitment to continually improve the SMS and the services DOCUMENTED COMMUNICATED IN THE ORGANIZATION APPROPRIATE TO THE PURPOSE OF THE ORGANIZATON A FRAMEWORK FOR SETTING OBJECTIVES CAN BE MADE AVAILABLE TO INTERESTED PARTIES REVIEWED PERIODICALLY ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM O R G A N I Z AT I O N A L R O L E S , RESPONSIBILITIES AND AUTHORITIES (5.3.) Roles, responsibilities, authorities The top management ensures that responsibilities and authorities for different roles are assigned and communicated • Service owner – holds the ultimate responsibility for a service • Process owner –“owns” the process and is responsible for how the process is designed, how it works, how it is measured and improved • Process manager – responsible for the operation of the process Management representative – ensures that the SMS conforms to requirements and reports to the top management on the performance of the SMS and of the services LEADERSHIP (5) - The top management shall demonstrate leadership and commitment with regards to the SMS - Establish document and communicate a service management policy - Assign and communicate responsibilities and authorities for different roles ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM AC T I ONS TO ADD R E S S R IS KS AND OPPORTUNITIES ( 6 .1 . ) Risks and opportunities Identify and address risks and opportunities for the SMS and the services A risk assessment should be performed - Risks related to the organization - Risks related to not meeting service requirements - Risks in relation to the involvement of other parties Risk = impact x probability Risks and opportunities Establish what represents “acceptable risk” Risk treatment options: - Avoidance Mitigation Transfer Acceptance Risks and opportunities Opportunities – identification and decision on their implementation ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE MANAGEMENT OBJECTIVES A N D P L A N N I N G TO A C H I E V E T H E M (6.2.) OBJECTIVES Establish service management objectives at relevant functions and levels - Consistent with the policy Measurable Take into account applicable requirements Communicated Monitored Documented ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM PLAN THE SERVICE MANAGEMENT SYSTEM (6.3.) The Service Management Plan Create, implement and maintain a Service Management Plan that will include or contain a reference to the following: • List of services in the SMS • Known limitations that may impact the SMS or the services • Obligations and how they apply to the services and to the SMS • Authorities and responsibilities for the SMS and services • Resources required to operate the services and the SMS • Approach on working with other parties • Technology used • Approach to measuring, auditing, reporting and improving the SMS and the services RACI matrix (Responsible, Accountable, Consulted, Informed) The Service Management Plan Create, implement and maintain a Service Management Plan that will include or contain a reference to the following: • List of services in the SMS • Known limitations that may impact the SMS or the services • Obligations and how they apply to the services and to the SMS • Authorities and responsibilities for the SMS and services • Resources required to operate the services and the SMS • Approach on working with other parties • Technology used • Approach to measuring, auditing, reporting and improving the SMS and the services PLANNING (6) - Identify and address risks and opportunities for the SMS and the services - Establish service management objectives and plan actions for their achievement - Create, implement and maintain a service management plan ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM RESOURCES ( 7. 1 . ) Resources Determine and provide the resources needed to establish, implement, maintain and continually improve the SMS and the services. ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM COMPETENCE ( 7. 2 . ) Competence Ensure that persons working under the organization’s control have the required competence - Identify competence requirements - Act to ensure that required competence is available (i.e. provide training, recruiting, mentoring, reassigning responsibilities, etc) - Evaluate the effectiveness of actions taken - Retain documented information as evidence of competence ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM AWARENESS ( 7. 3 . ) Awareness Persons doing work under the organization’s control shall be aware of: - The SM policy and objectives - The services relevant to their work - How to contribute to the SMS - Benefits of improved performance - Consequences of not conforming to requirements ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM C O M M U N I C AT I O N ( 7. 4 . ) Internal communication Inform, motivate, explain… Provide feedback External communication Communicate with interested parties ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM D O C U M E N T E D I N F O R M AT I O N ( 7. 5 . ) Documented information for the SMS • Documents specifically required by the standard • Documents determined by the organization as necessary for the SMS The SMS documentation can vary between two organizations due to factors like: size, complexity of processes and services, competence of personnel. SMS documentation can be in any format Creating and updating documents • Ensure proper identification and description (through date, format, author, code, reference number…) • Consider suitable format(s) • Review and approve documents before use Control of documented information • Distribution • Access control • Control of changes • Retention • Disposition The controls apply also to external origin documents ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM KNOWLEDGE ( 7. 6 . ) Knowledge D E T E R M I N E A N D M A I N TA I N T H E K N O W L E D G E N E E D E D TO S U P P O R T T H E O P E R AT I O N O F T H E SERVICES AND OF THE SMS - Knowledge is documented and undocumented - It shall be available in a suitable style - It shall be maintained relevant SUPPORT (7) - Determine and provide the resources for the SMS and the services - Identify competence requirements and act to ensure people obtain and maintain needed competence - Ensure the awareness of persons working for the organization - Determine external and internal communications relevant to the sms and to the services - Control the sms documentation - Determine, make available and maintain relevant the knowledge required to operate the services and the sms ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM O P E R AT I O N A L P L A N N I N G A N D CONTROL ( 8 .1 . ) OPERATION OF THE SMS 8. Operation of the service management system 8.1. 8.2. 8.3. Operational planning and control Service 8.2.1. Service delivery 8.2.2. Plan the services portfolio 8.2.3. Control of parties involved in the service lifecycle 8.2.4. Service catalogue management 8.2.5. Asset management 8.2.6. Configuration management Relationship 8.3.1. General Business relationship management management 8.3.2. 8.3.3. Service level management 8.3.4. Supplier management 8.3.4.1. 8.4. Supply and demand 8.5. Service design, build and transition 8.4.1. 8.4.2. 8.4.3. 8.5.1. 8.5.2. 8.6. 8.7. Resolution and fulfilment Service assurance 8.5.3. 8.6.1. 8.6.2. 8.6.3. 8.7.1. 8.7.2. 8.7.3. Management of external suppliers 8.3.4.2. Budgeting and accounting for services Demand management Capacity management Change management 8.5.1.1. 8.5.1.2. Change management policy Change management initiation 8.5.1.3. Change management activities 8.5.2.1. Plan new or changed services Service design and transition 8.5.2.2. 8.5.2.3. Release and deployment management Incident management Service request management Problem management Service availability management Service continuity management Information security management 8.7.3.1. 8.7.3.2. 8.7.3.3. Management of internal suppliers and customers acting as supplier Design Build and transition Information security policy Information security controls Information security incidents OPERATIONAL PLANNING AND CONTROL Plan, implement and control the processes needed to meet requirements and to implement what has been planned. - Establish performance criteria for processes - Keep documented information - Control planned changes to the SMS - Control outsourced processes ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE DELIVERY ( 8 . 2 .1 . ) SERVICE DELIVERY 8.2. Service portfolio 8.2.1. 8.2.2. 8.2.3. 8.2.4. 8.2.5. 8.2.6. Service delivery Plan the services Control of parties involved in the service lifecycle Service catalogue management Asset management Configuration management The organization shall perform the activities required to deliver the services and shall operate its SMS ensuring the coordination of activities and resources. ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM PLAN THE SERVICES (8.2.2.) PLAN THE SERVICES meaning… Determine and document service requirements Determine the criticality of services Identify and manage dependencies and duplication between services Propose changes to align services with the service management policy and objectives and with service requirements ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM C O N T R O L O F P A R T I E S I N V O LV E D IN THE SERVICE LIFECYCLE (8.2.3.) CONTROL OF PARTIES INVOLVED IN THE SERVICE LIFECYCLE External suppliers Internal suppliers Customers acting as suppliers CONTROL OF PARTIES INVOLVED IN THE SERVICE LIFECYCLE The organization remains accountable and controls the activities of third parties It’s not acceptable to outsource everything and c l a i m c o n f o r m i ty t o I S O / I E C 2 0 0 0 0 -1 Determine and document: - Services provided or operated by third parties - Service components provided or operated by third parties - Processes or parts of processes operated by third parties ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM S E R V I C E C AT A L O G U E MANAGEMENT (8.2.4.) SERVICE CATALOGUE MANAGEMENT Create and maintain a service catalogue (or several) What to include in the service catalogue? - Name and description of each service Service level targets Contact hours Service hours Service support Service options Price(s) Service owner How to request the service Security arrangements Dependencies Supporting contracts (if exist) … ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM ASSET MANAGEMENT (8.2.5.) ASSET MANAGEMENT ASSETS USED TO DELIVER THE SERVICES SHALL BE MANAGED TO MEET REQUIREMENTS (hardware, software, equipment, buildings, vehicles, licenses…) ISO 55001 – Asset management systems ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM C O N F I G U R AT I O N M A N A G E M E N T (8.2.6.) CONFIGURATION MANAGEMENT Identify, record, control, track and verify configuration items Configuration item = element that needs to be controlled in order to deliver one or several services (hardware parts, software, operating systems, databases, facilities, services, information) configuration item vs. asset CONFIGURATION MANAGEMENT RECORD FOR EACH CI: - Unique identification - Type - Description and the role in the service - Relationships with other Cis - Status THE LATEST CONFIGURATION INFORMATION SHALL BE RETAINED AND MADE AVAILABLE TO OTHER SERVICE MANAGEMENT ACTIVITIES AS NEEDED SERVICE PORTFOLIO (8.2.) - Perform the activities required to deliver the services and operate the SMS to ensure the coordination of activities and resources - Plan services identifying requirements, criticality and overlapping - The organization controls and remains accountable for the activities performed by other parties involved in the service lifecycle - Create, maintain and make available to interested parties a (several) service catalogue(s) - Identify and manage assets according to requirements - I d e n t i f y, r e c o r d , c o n t r o l , t r a c k a n d v e r i f y configuration items, control chang es to configuration items and audit the information on configuration items ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM B U S I N E S S R E L AT I O N S H I P MANAGEMENT (8.3.2.) BUSINESS RELATIONSHIP MANAGEMENT Identify and document customers and users of services Build the communication with customers to understand how services are used, how they can be improved and what additional services can be proposed BUSINESS RELATIONSHIP MANAGEMENT • Regular reviews of service performance with customer representatives • Measurement of customer satisfaction • Review and analyze the information on customer satisfaction • Manage complaints and keep customers informed ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE LEVEL MANAGEMENT (8.3.3.) SERVICE LEVEL MANAGEMENT The organization shall agree with its customers on the services to be delivered and shall establish for each service one or several SLAs (Service Level Agreements) SLAs include: - service level targets - exceptions - workload limits Service performance is monitored against SLAs and results are reported to the customer regularly ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SUPPLIER MANAGEMENT (8.3.4.) SUPPLIER MANAGEMENT • Documented contracts with external suppliers • Documented agreements (i.e. contracts, policies, procedures) with internal suppliers and customers acting as suppliers • Lead suppliers manage sub-suppliers, and the organization can ask for evidence of relationships and controls • The performance of suppliers is monitored by the organization • Disputes with suppliers are recorded and managed to closure RELATIONSHIP AND AGREEMENT (8.3.) - Business relationship management identifies customers and builds the communication with customers. Customer s at i s facti on sh all be m on it ored, and complaints managed by the organization - The organization agrees with customers on the services and SLAs. Service pe rform ance i s mo ni t ored again st t he S LA s - Documented contracts with external s uppli ers and agre ements w i th i nternal suppliers and customers acting as suppliers. The performance of suppliers is m oni t ored . ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM BUDGETING AND ACCOUNTING FOR SERVICES ( 8 . 4 .1 . ) BUDGETING AND ACCOUNTING FOR SERVICES CONTROL FINANCIAL ASPECTS OF SERVICES, U N D E R S TA N D A N D M A N A G E C O S T S • Direct costs – can be traced directly to the provision of services • Indirect costs – cannot be allocated in full to a specific service BUDGETING AND ACCOUNTING FOR SERVICES Calculate the cost of services Forecast costs and income Develop a budget (considering planned changes) Monitor costs against the budget ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM DEMAND MANAGEMENT (8.4.2.) DEMAND MANAGEMENT Understand the demand for services to help adjust capacity - Determine current demand for services - Estimate future demand - Monitor and report the demand and consumption of services ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM CAPACITY MANAGEMENT (8.4.3.) CAPACITY MANAGEMENT Ensure that the organization has sufficient capacity to meet current and future demand for services. - Plan capacity based on current and future demand for services - Monitor capacity usage and anticipate changes SUPPLY AND DEMAND (8.4.) - Understand current costs of services, forecast costs and income, create and follow a budget - Determine current demand for services and predict future demand - P l a n c a p a c i t y, m o n i t o r t r e n d s a n d u s a g e , t o ensure sufficient capacity is available to run the services as required ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM CHANGE MANAGEMENT ( 8 . 5 .1 . ) CHANGE MANAGEMENT to control changes and maintain the stability of the SMS The change management policy: - clarify what is under the control of change management - categories of changes (e.g. standard, emergency, normal) - criteria for major impact changes CHANGE MANAGEMENT RFC (Request for Change) - recorded - classified - submitted for approval - prioritized Changes must be prepared, verified and tested (if possible) A roll back plan or a solution to mitigate negative effects of unsuccessful changes ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE DESIGN AND TRANSITION (8.5.2.) SERVICE DESIGN AND TRANSITION PLANNING Responsibilities and authorities, resources, activities of third parties, relationships and dependencies, testing requirements, acceptance criteria, intended outcomes, impact DESIGN SLAs, contracts and agreements, training and experience requirements, updates to service catalogue, impacts and risks, responsibilities BUILD AND TRANSITION Testing, to confirm that requirements are met, and that acceptance criteria are fulfilled ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM R E L E A S E A N D D E P LO Y M E N T MANAGEMENT (8.5.3.) RELEASE AND DEPLOYMENT MANAGEMENT The organization shall define: - types of releases (e.g. major, minor, emergency) - frequency - how releases are managed RELEASE AND DEPLOYMENT MANAGEMENT Plan the deployment of new or changed services considering: - RFC (requests for change) - known errors or problems closed - deployment dates and methods (big bang or phased; manual or automated; push or pull) - any downtime of services RELEASE AND DEPLOYMENT MANAGEMENT Before deployment: - verify the release against acceptance criteria - take a baseline of the configuration items affected Monitor the success or failure of releases. SERVICE DESIGN, BUILD AND TRANSITION (8.5.) - D o c u m e n t a c h a n g e m a n a g e m e n t p o l i c y. R e c o rd , classify and submit for approval Requests for Change. Investigate unsuccessful changes and have a solution for such situations. - New services, changes to services, removal and transfer of services is managed with the Service design and transition process. - The implementation of new or changed services is coordinated by the Release and deployment management. ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM INCIDENT MANAGEMENT ( 8 . 6 .1 . ) INCIDENT MANAGEMENT Incident management: - record, classify and prioritize incidents - establish an escalation mechanism - resolve and close incidents INCIDENT MANAGEMENT Establish criteria for major incidents (e.g. number of users affected, services affected, security) Document a procedure for managing major incidents Keep management informed on the management of major incidents Retain records of major incidents Review and analyze major incidents Incident Nonconformity ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE REQUEST MANAGEMENT (8.6.2.) SERVICE REQUEST MANAGEMENT Service request Incident Service requests are: recorded, classified, prioritized, fulfilled and closed SERVICE REQUEST MANAGEMENT For efficiency: - the process should be standardized and automated (as much as possible) - support teams shall have access to instructions - the number of workflows should be limited Keep the customers informed ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM PROBLEM MANAGEMENT (8.6.3.) PROBLEM MANAGEMENT Problem management looks for the root cause to prevent incidents from happening again Analyze incidents to identify problems Record and classify problems Investigate and if necessary, escalate problems PROBLEM MANAGEMENT Known error A problem with an identified root cause and with a workaround (a temporary solution) Retain records of known errors, root causes, workarounds, resolutions RESOLUTION AND FULFILMENT (8.6.) - The organization shall record incidents, classify them, prioritize them, escalate incidents if required, resolve and close incidents. A procedure for managing major incidents shall be documented. - Service requests shall be recorded, classified, prioritized, resolved and closed. - Probl ems must be identified, recorded, classified, prioritized, resolved (if possible) and cl osed. Records of known errors, root causes, resolutions and workarounds shall be retained ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM S E R V I C E AVA I LA B I LI T Y MANAGEMENT ( 8 .7.1 . ) SERVICE AVAILABILITY MANAGEMENT Assess and document, at planned intervals, the risks to service availability Monitor services for availability performance Investigate cases of unplanned unavailability Inform customers and users in case of planned unavailability (e.g. scheduled maintenance) ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE CONTINUITY MANAGEMENT ( 8 .7. 2 . ) SERVICE CONTINUITY MANAGEMENT Assess risks to service continuity Prepare service continuity plan(s) ISO 22300 series – Business Continuity Management SERVICE CONTINUITY MANAGEMENT Planning for service continuity: - decide who invokes the plan(s) - team(s), responsibilities and authorities - actions to be performed - contacts - responsibilities for communication - steps to return to normal operation SCPs (Service Continuity Plans) shall be kept current and tested M T P D – M a x i m u m To l e r a b l e Period of Disruption MBCO – Minimum Business Continuity Objective ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM I N F O R M AT I O N S E C U R I T Y MANAGEMENT ( 8 .7. 3 . ) INFORMATION SECURITY MANAGEMENT ISO/IEC 27000 series – Information Security Management - Develop an information security policy - Communicate the information security policy inside the organization, and make it available to interested parties - Identify and assess information security risks - Implement controls for the risks assessed - Record, classify, prioritize, escalate, resolve and close information security incidents - Analyze security incidents periodically ISO/IEC 20000-7 – Integration of ISO/IEC 27001 and ISO/IEC 20000-1 SERVICE ASSURANCE (8.7.) - Assess service availability risks and work with capacity management to avoid situations of unplanned unavailability - P re p a re fo r a m a j o r l o s s o f s e r v ic e, d e v elo p a n d test service continuity plan(s) - D e v e l o p a n i n f o r m a t i o n s e c u r i t y p o l i c y, a s s e s s information security risks, implement control s and manage information security incidents ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM M O N I T O R I N G , M E A S U R E M E N T, A N A LY S I S A N D E V A L U AT I O N ( 9 .1 . ) MONITORING, MEASUREMENT, ANALYSIS AND EVALUATION • Determine what to monitor and measure • Determine the methods for monitoring and measuring • Decide when to monitor and measure • Decide when the data obtained will be analyzed and evaluated ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM INTERNAL AUDIT (9.2.) INTERNAL AUDIT The organization shall conduct internal audits of the SMS at planned intervals Internal audit programme – planning of internal audits for a period of time (usually one year) For each internal audit - identify the auditors (competent and objective) - develop an audit plan (includes the audit scope and criteria) - document the audit report - communicate audit results to relevant managers - retain documented information (plans, reports, checklists, nonconformities, etc) ISO 19011 – Guidelines for auditing management systems ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM MANAGEMENT REVIEW (9.3.) MANAGEMENT REVIEW Top management reviews the SMS and the services at planned intervals Input elements Changes Performance and effectiveness of the SMS Performance of the services Performance of suppliers Feedback from customers and interested parties Achievement of objectives Risks assessed and actions taken in response Current and forecast resources Status of actions agreed in previous meetings Opportunities for improvement … Decisions to improve the services and the SMS ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM SERVICE REPORTING (9.4.) SERVICE REPORTING The organization produces reports with regards to the delivery of its services and about the SMS, to help decision making Summary of reports including: - purpose and content audience frequency responsibility to produce the reports PERFORMANCE EVALUATION (9) - Determine what to monitor and measure with regards to the services and the SMS, how and when to monitor and measure, when to analyze and evaluate the data obtained - Conduct internal audits of the SMS at planned intervals - The top management reviews periodically the services and the SMS - Produce accurate and timely service reports as required, to help decision making ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM NONCONFORMITY AND CORRECTIVE ACTION ( 1 0.1. ) NONCONFORMITY AND CORRECTIVE ACTION Nonconformity = non-fulfilment of a requirement • React and deal with the consequences (correction) • Understand the root cause of the nonconformity • Propose and implement a corrective action (that addresses the root cause) • Review the effectiveness of the corrective action • Retain documented information ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM CONTINUAL IMPROVEMENT (10.2.) CONTINUAL IMPROVEMENT Identify and document opportunities for improvement Sources of improvement opportunities: - employee suggestions - audits - benchmarking - customer feedback - monitoring and measuring - incidents, problems and nonconformities … ISO/IEC 20000-1:2018 SERVICE MANAGEMENT SYSTEM C E R T I F I C AT I O N T O I S O / I E C 2 0 0 0 0 - 1 CERTIFICATION TO ISO/IEC 20000-1 Certification for organizations To confirm that its SMS follows the requirements of ISO/IEC 20000-1 Valid for 3 years with annual surveillance audits Certification for persons Obtained after an examination There are usually different levels: Foundation, Implementer, Auditor