A Guide to the new ISO/IEC 20000-1
The differences between the 2005 and the 2011 editions
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
A Guide to the new ISO/IEC 20000-1
The differences between the 2005 and the 2011 editions
Lynda Cooper
First published in the UK in 2011 by
BSI
389 Chiswick High Road London W4 4AL
© British Standards Institution 2011
All rights reserved. Except as permitted under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher.
Whilst every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law.
While every effort has been made to trace all copyright holders, anyone claiming copyright should get in touch with the BSI at the above address.
BSI has no responsibility for the persistence or accuracy of URLs for external or third-party internet websites referred to in this book, and does not guarantee that any content on such websites is, or will remain, accurate or appropriate.
Typeset in Frutiger by Monolith, www.monolith.uk.com Printed in Great Britain by Berforts Group, www.berforts.co.uk British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library ISBN 978-0-580-72850-1
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
A Guide to the new ISO/IEC 20000-1 v
Contents
Acknowledgements
vii1.
Introduction
11.1. What is ISO/IEC 20000? 1
1.2. The ISO/IEC 20000 series 2
1.3. The author 2
1.4. Audience and intended use 2
1.5. What changes are being compared in this book? 3
1.6. What is a key change? 3
2.
Summary of the key changes made from the 2005 edition to the 2011 edition
53.
How to move from the 2005 edition to the 2011 edition
63.1. Certification scheme changes 6
3.2. Qualification scheme changes 6
3.3. Moving certification from the 2005 edition to the 2011 edition 6
4.
Guidance on the key changes made to ISO/IEC 20000-1
94.1. Introduction 9
4.2. Structural changes 10
4.3. Changes to figures 12
4.4. Changes to terms and definitions and use of English 15
4.5. Changes to support the definition of scope 31
4.6. Changes to the management of new or changed services 36
4.7. Changes to roles and documents 38
4.8. Changes made to align with other standards 44
Appendix A Relationships with best practice guidance
47Appendix B Bibliography and further information
51Appendix C Mapping and differences between the 2005 edition and the 2011 edition
(2005 baseline)
53(The tables in this appendix are given in full on the CD accompanying this book)
Appendix D Mapping and differences between the 2011 edition and the 2005 edition
(2011 baseline)
54(The tables in this appendix are given in full on the CD accompanying this book)
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
A Guide to the new ISO/IEC 20000-1 vii
Acknowledgements
The work during 2006–2010 on updating ISO/IEC 20000-1 has involved many national standards bodies and the International Standards committee as well as the BSI committee that originally produced the 2005 edition and BS 15000 before that. I would like to thank them for sharing their views and providing constructive criticism and suggestions in the development of the 2011 edition.
It is not possible to acknowledge all those who have been involved but I would like in particular to thank those involved in the redrafting of the standard and the review of this book:
• Graham Cox – for his work in reviewing this book and his exceptional skills in English grammar; • Nick Fright – for his work in reviewing this book and his knowledge of other standards;
• Shirley Lacy – for her work in reviewing this book and her knowledge as an ITIL®1 author;
• Anita Myrberg (Sweden) – for her work as co-editor of the standard and for bringing a calm, reasoned, knowledgeable approach to our work;
• Professor Pierre Thory (France) – for his work as co-editor of the standard and bringing his management thinking to the standard;
• Peter Restell of BSI for guiding us all through the complexities of the BSI and ISO processes and directives; • Jack Robertson-Worsfold – for his additions to the book on operational issues, which are shown in boxes
throughout the text;
• Dr Alastair Walker (South Africa) – for his analysis tool from SPI Laboratory (Pty) Ltd, which helps to identify the differences in editions;
• All members of the BSI and ISO committees – (you know who you are) for their parts in commenting on, resolving and supporting the production of the 2011 edition of Part 1.
The standard is managed through working group 25 (WG25) of the SC7 subcommittee of ISO/IEC JTC1. The convenor of WG25 during the revision of Part 1 was Dr Jenny Dugmore. The project editor for Part 1 was Lynda Cooper (UK), with co-editors Anita Myrberg (Sweden) and Professor Pierre Thory (France). Many countries are represented on WG25 and have played an active part in the development of the 2011 edition. They include Australia, Canada, China, Cote d’Ivoire, Czech Republic, Finland, France, Germany, India, Italy, Japan, Korea, Luxembourg, New Zealand, South Africa, Spain, UK and USA.
Also, I would like to thank Dr Jenny Dugmore (UK) for her role as convenor for the BSI and ISO committees, which has steered the ISO/IEC 20000 series to what it is today.
Finally, I would like to thank Julia Helmsley and Jenny Cranwell of BSI for their support during the production of this book.
1 ITIL® is a registered trademark of the Office of Government Commerce in the United Kingdom and other countries.
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
A Guide to the new ISO/IEC 20000-1 1
1. Introduction
1.1. What is ISO/IEC 20000?
ISO/IEC 20000-1:2011 is a service management system (SMS) standard. It specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain and improve an SMS. The requirements include the design, transition, delivery and improvement of services to fulfil agreed service requirements.
The first edition of ISO/IEC 20000-1 was published in 2005. The title was Information technology — Service
management — Part 1: Specification. The second edition of ISO/IEC 20000-1 was published in 2011 with a revised title. The title is Information technology — Service management — Part 1: Service management system
requirements. This reflects the emphasis on the SMS and alignment with the title of ISO 9001. It also moves away from the term ‘specification’, which is reserved for use with software standards.
The new edition has been developed with the involvement of the international community through its national standards organizations and the International Organization for Standardization (ISO). The 2011 edition should lead to improvements in IT efficiency and business productivity.
The changes will impact organizations certified to this standard, or working towards certification, that use the standard in contracts, or that use the standard as guidance. It will also impact the auditors, trainers and consultants who use the standard for their customers.
ISO/IEC 20000 is used internationally and by many organizations to guide their service management, many being certified to ISO/IEC 20000-1. A service management system also provides support for corporate governance, which is often reliant on information from IT services and the support of the processes in ISO/IEC 20000-1. There are many benefits from using ISO/IEC 20000-1. Certification to ISO/IEC 20000-1 by an accredited certification body shows that a service provider is committed to delivering value to customers and continual service improvement.
ISO/IEC 20000-1 is driven by the continual improvement of processes and services, so a service provider will normally find that implementing the requirements in Part 1 gives an improved service that adds much greater value to the customer. In turn, this enables the customers and their businesses to be more effective.
Whilst implementing best practice service management principles supplies obvious benefits, organizations sometimes find themselves not continuing on towards certification, citing the reason that it is unnecessary to prove beyond the customer experience that things are improving. This is a false premise. Whilst policies can direct vision and processes can supply a working structure, people may look for a route of least resistance to getting things done; indeed in certain cases expediency is often seen as a means of subjugating agreed policy by taking short cuts through processes. Whilst this can deliver short-term benefits, in the longer term it increases cost and risk and reduces operational effectiveness. With conformity comes reduced management overheads; managers are more proactive as they stop having to fight fires, and service management is more effective.
Introduction
2 A Guide to the new ISO/IEC 20000-1
1.2. The ISO/IEC 20000 series
ISO/IEC 20000 specifies the requirements for a series of standards. In 2005, the series consisted of Parts 1 and 2. The series has changed and grown as the standard has matured. The Parts of the ISO/IEC 20000 series are: • Part 1: Service management system requirements. Part 1 specifies requirements to be fulfilled in the form
of ‘shall’ statements and can be the basis of a conformity assessment;
• Part 2: Code of practice (2005). Part 2 specifies recommendations to support the implementation of Part 1. Part 2 is currently being updated and will be published with a new title of Guidance on the application of
service management systems. This revision of Part 2 will align with the 2011 edition of Part 1;
• Part 3: Guidance on scope definition and applicability of ISO/IEC 20000-1 (Technical Report). Part 3 is a guidance document covering two specific areas that are complex for ISO/IEC 20000. This document can support those who wish to demonstrate conformity to Part 1;
• Part 4: Process reference model (Technical Report). Part 4 is a process reference model that will support the development of the process assessment model that will be published as ISO/IEC 15504-8;
• Part 5: Exemplar implementation plan for ISO/IEC 20000-1 (Technical Report). Part 5 is a guidance document to support organizations that are implementing ISO/IEC 20000-1 for the first time or that are improving their existing service management system;
• Part 10: Concepts and terminology. Part 10 is not yet published. It will be a document to pull together the concepts and terminology used in the ISO/IEC 20000 series. The next edition of Part 1 will not need to include terms and definitions as these will be in Part 10.
Parts 6 to 9 are under consideration, subject to research on what is required by the service management industry. Proposals include mapping the requirements in Part 1 to best practice advice in the Information Technology Infrastructure Library (ITIL), and, if this is agreed, other standards, methods and frameworks, such as COBIT (Control Objectives for IT).
A new related standard is being developed but is not yet published: ISO/IEC TR 90006: Guideline on the
application of ISO 9001 to IT service management. This new standard will be based on the 2011 edition of
ISO/IEC 20000-1.
A further new related standard is being developed but is not yet published: ISO/IEC 27013: Guidelines on the
integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1. The new standard will be based on the 2011
edition of ISO/IEC 20000-1.
1.3. The author
This book is written by Lynda Cooper, the project editor of ISO/IEC 20000-1 who represents the UK on the ISO/IEC committee responsible for the ISO/IEC 20000 series. Lynda also sits on the BSI committee that first developed BS 15000, which was fast-tracked to become ISO/IEC 20000-1 in 2005. She has worked on comment resolution with BSI and ISO committees throughout the five years it has taken to draft the 2011 edition and knows every change and the reason for it. Lynda is an independent consultant and trainer who is one of the first people in the world to be qualified to ITIL Master level2. She has supported many organizations to
implement service management and to achieve ISO/IEC 20000 certification.
1.4. Audience and intended use
This publication is for the many organizations that have used the 2005 edition of ISO/IEC 20000-1 as the basis for service delivery. It is also intended for people involved in the preparation for certification, audits, self-assessments and training. It will also be very useful for trainers, consultants and managers responsible for continual service improvement, procurement and supplier management. Certification bodies will find the book useful for changing their audit practice documentation.
The target audience also includes those who use ISO/IEC 20000-1 with other standards, such as ISO 9001 and ISO/IEC 27001. For this audience, there is information about how the standard relates to these other standards. The user community includes those who use best practices to support the implementation of ISO/IEC 20000-1, including ITIL. The book includes information about how ITIL can help them to achieve the requirements of the standard, in Appendix A.
2 ITIL® is a registered trademark of the Office of Government Commerce in the United Kingdom and other countries.
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
Introduction
A Guide to the new ISO/IEC 20000-1 3
This book is intended to be used by readers who are already familiar with the 2005 edition of ISO/IEC 20000-1 as: • a reference book – for those who want to see the differences, and understand the reasoning behind the
changes made, between the two editions of the standard without having to work these out in detail by looking at the standards themselves;
• guidance – for those organizations wishing to move from certification to the 2005 edition to that of the 2011 edition as soon as possible, providing information to help them to make the transition simply and smoothly;
• an overview – for those who want a broad view of the differences between the two editions of the standard; • a guide for auditors – who need to know the changes to requirements and how this will impact the evidence
that is needed during the audit process;
• an individual purchase – for trainers and consultants;
• an institutional purchase – for companies that use the standard.
1.5. What changes are being compared in this book?
This book primarily compares the 2005 edition to the 2011 edition of ISO/IEC 20000-1.
Chapter 2 summarizes the key changes that have been made from the 2005 to the 2011 editions. Chapter 3 describes how to make the transition to the second edition, with reference to the relevant clauses in ISO/IEC 20000-1. Chapter 4 provides in-depth guidance on the key changes made.
The book uses the 2005 edition as the reference point. The exception is Appendix D, which uses the 2011 edition as the reference point by providing a mapping of the 2011 edition to the 2005 edition.
Some readers will only need to read Chapters 2, 3 and 4 to gain a broad understanding of the differences between the two editions. Those who require a mapping and detailed knowledge of the differences will also need to read Appendix C (if the 2005 edition is the baseline of the reader) or Appendix D (if the 2011 edition is the baseline of the reader). The details provided in Appendix C and Appendix D comprise the same information but from a different baseline. For ease of use, Appendix C and Appendix D are available on the CD provided. The introduction of the 2011 edition states ‘ISO/IEC 20000 is intentionally independent of specific guidance. The service provider can use a combination of generally accepted guidance and its own experience.’ There are different guidance frameworks available for service management. A service provider may also use their own methods and techniques to support the implementation of ISO/IEC 20000-1. Appendix A gives information about the relationship of the standard with best practice guidance. As an example, it gives a high-level mapping of the 2011 edition of ISO/IEC 20000-1 and the 2011 edition of ITIL.
Text from standards or other frameworks is presented in quotes.
1.6. What is a key change?
The key question for those using the 2005 edition of the standard and either considering moving to the 2011 version, or indeed looking at the implications of moving, will be: ‘what does it mean to me from an operational service delivery perspective?’.
Expert commentary has been added throughout the book to suggest the potential impact of changes on people, policy, process and technology. For example, consider:
• the current structures your organization works with; • the various rules put in place by policy;
• the operational activities dictated by processes; and of course, • the constraints and opportunities afforded by technology.
Any change to the standards by which these components have been implemented could have an impact on one or more of the components.
In reviewing the changes, a number of considerations are important: • impact on the status quo (or current operability of the services); • cost of making the changes versus the cost of not making them;
• risk of not making the changes and the impact upon the ability to maintain adherence to the standard;
• the cultural and operational impact upon the organization.
Introduction
4 A Guide to the new ISO/IEC 20000-1
The tables in Appendix C and Appendix D show the changes made using the categories below. More than one category can apply to a change, e.g. a new or deleted requirement is also shown as a minor, medium or major change.
• no change – text is the same in both the 2005 and 2011 editions;
• deleted requirement or other text – 2005 edition text is not in the 2011 edition;
• new requirement or other text – text is in the 2011 edition that was not in the 2005 edition;
• editorial change – text has changed for editorial reasons such as improved English or change of terms; the requirement or intent of the statement has not changed;
• minor change – change to a requirement that is unlikely to affect an organization’s ability to achieve certification or a change to text that is not a requirement but is more than an editorial change; • medium change – change to a requirement that may affect an organization’s ability to achieve
certification or a change that needs to be assessed for impact on the existing SMS;
• major change – fundamental change to a requirement that will have a major impact on an organization’s ability to achieve certification.
This is a sample chapter from A Guide to the new ISO/IEC 20000-1. To read more and buy, visit http://shop.bsigroup.com/bip0124 © BSI British Standards Institution
