4.5.2 Requirements
# Requirement Essential
Service Management
1 The supplier shall adhere to an IT service management framework using
processes that are based on ITIL (V2 or higher) or equivalent best practice
guidance. Demonstrating the capability of the organisation by achieving certification to the ISO/IEC 20000 standard or an equivalent standard is desirable.
The supplier shall provide evidence for the following processes: • Incident Management Process
• Problem Management Process • Change Management Process • Release Management Process • Configuration Management Process • Capacity Management Process • Service Level Management Process • Availability Management Process
• IT Service Continuity Management Process
• Continuous Service Improvement Process
Y
2 The supplier shall interface appropriately, where required, with the Customer’s
ITIL aligned Service Management processes and appropriate peer contacts
Interfaces, deliverables and activities are defined in the Service Acceptance Criteria (SAC)
Y
3 The supplier shall provide access to a real-time solution allowing the customer to effectively monitor the performance of the service.
4 The supplier should implement a comprehensive Performance Monitoring System (PMS) to monitor and measure the performance of services being delivered and performance against agreed Service Levels and Key Performance Indicators.
Y
5 Each provider shall permit the Customer to publish service performance
information via media which may be visible in the public domain
Y 6 The supplier should utilise an industry recognised ITIL based Service
Management toolset capable of storing at least 12 months’ worth of historical
data.
Y
7 The supplier shall work collaboratively with the Customer and other Service Providers, when reasonably requested.
Y 8 The supplier shall apply a set of Incident and Problem Severity classifications.
It is expected that these classifications are based on the impact and the urgency of the Incident / Problem.
Y
9 The Supplier must allocate each Incident Record with a unique reference
number when the Incident is Logged on the Supplier’s Incident Management Tool. This reference number must be provided to the party logging the Incident.
Y
10 The Supplier shall provide an audit trail of any incident actions and resolution
activity upon request for a period of 12 months. The incident audit log should
contain all activities pertaining to the issue being dealt with including as a minimum; time of acceptance, assignment to internal resolution teams, reasons for pending, confirmation of contact/agreement with end users, investigation actions, resolution detail, reasons for referral, incident classification (service failure/service request/user error/training)
Y
11 The Supplier shall provide diagnostic scripts, tools, knowledge articles, and
training materials to enable customer’s service desks to triage incidents, support local resolution, and capture the information necessary to resolve incidents. These must be subject to continual improvement.
Y
12 The supplier will own and actively manage all Incidents, Problems and Service
Requests logged through its Service Desk or raised proactively until an appropriate resolution is effected and confirmed by the end users affected
Y
13 The Supplier should allow authorised users access to their incident
management tool to review the status and update the progress of their
Incidents and Service Requests. This may be via a self-service web portal or similar. The authorisation should ideally be three levels; Admin access for HSCIC to see all incidents; LOA access to see all Incidents at an Organisation level; User access to see any incidents they have raised individually.
14 Upon identification that the activity required to resolve the Problem resides
outside of the Supplier’s boundary of responsibility the Supplier should immediately refer the problem to the appropriate party where one exists. The Supplier should retain an open problem record until the accepting party confirms resolution of the Problem. Any dispute between the parties shall be referred to the Customer.
15 Each Supplier should make available a copy of its Problem Tracker on a
regular basis to reflect updates to the status of Problems
16 Each provider should present notification of changes to the Customers Service
Management Team in sufficient time to allow integrated suppliers to impact assess and test the change appropriately on the non-production test environment. For normal changes, the expectation would be a minimum of
one weeks’ notice.
17 When planning a Release, each provider should ensure that the timing of the
release is notified to the Customer’s Service Management team, with the opportunity to provide feedback and objection, at least 3 months before the planned release date.
18 The supplier should demonstrate how it proposes to manage Capacity for the duration of the contract
19 The supplier shall be capable of agreeingand monitoring a set of appropriate Service Levels which shall be measured and reported against to the Customer at least on a monthly basis.
Y
20 Each provider should host a regular Service review to review the previous
periods service performance and agree performance against Service Level Agreements
21 The supplier should comply with the provisions of ISO/IEC 22313 – Societal security -- Business continuity management systems
22 The supplier should deliver a Business Continuity and Disaster Recovery solution which allows for the agreed service levels to be maintained at all times, even in the event of a catastrophic event.
Y
23 Each Supplier should deliver a Business Continuity and Disaster Recovery
Plan to the Customer for review on an Annual basis – or following any significant change to the services. Any material issues with the plan must be addressed by the supplier
Y
24 The supplier should prove their Business Continuity/Disaster Recovery
solutions and provide anonymised evidence of existing solutions.
25 Each provider should demonstrate that continuous improvements are made to
the service delivered based on both proactive activities and user feedback
Service Desk
26 The supplier must provide a Service Desk capable of operating 24x7 and capable of accepting Incidents and Service Requests by at least the following means from both users and administrators of the service:
• Telephone. • Email. • Web Portal.
• In addition of toolset integration and acceptance of Incidents via social media or direct messaging would be desirable.
Y
27 The provider Service Desk Telephone number should be via a single,
published number which is either free or standard rate charged to landlines.
This may be the current NHSmail service desk number used today.
Y
28 Each provider should publish an appropriate Escalation process. Y
29 The supplier must provide a Continuous Service Improvement Plans process that captures future development, Service Improvementsand complaints.
Y 30 The supplier should be capable and willing to work with other customer
nominated suppliers (for example in cross boundary Incident resolution). 31 The supplier’s Service Desk shall at all times reasonably co-operate with the
Customer in the investigation and resolution of Incidents associated with the
Contractor’s Services and with services provided by Related Service Providers.
32 Each supplier shall provide a mechanism for communicating the current status
of the services and Incidents out to the user community. It is acceptable for
this communication to be self-service; however, a ‘push’ mechanism would be
desirable. The use of social media direct messaging is an acceptable
mechanism. In the case of severity 1 and severity 2 Incidents (or equivalent for the two highest impact/urgency incident categories), the updates on the status of the Incident should be at intervals of no greater than 30 minutes for Severity 1 (or equivalent) and 60 minutes for severity 2 (or equivalent), or as otherwise requested by the Customer.
Y
33 Each Supplier’s Service Desk should provide the originator of the Incident or
Service Request with regular communications on the status and progress of the Incident or Service Request
34 The supplier must provide a dedicated High Severity Service Incident Management function for handling Severity 1 and 2 incidents.
Y