The ISO/IEC 20000 international standard for “Information technology — Service management – Part 1: Service management system requirements” (referred to in this guide as simply “ISO/IEC 20000”) was originally published by the ISO in 2005 and is based upon the earlier British standard BS15000. Revised in 2011, ISO/IEC 20000 specifies the requirements that your SMS will need to meet in order for your organization to become certified to the standard. The requirements in ISO/IEC 20000 are supplemented by guidance contained in ISO/IEC 20000 Part 2 which was also revised in 2011. ISO/IEC 20000 Part 2 is well worth reading as it fills in some of the gaps in understanding how the requirements in ISO/IEC 20000 Part 1 should be met and gives more clues about what the auditor may be looking for.
There are a number of other documents published within the ISO/IEC 20000 series and many of them provide useful supporting information for organizations going for ISO/IEC 20000 certification (or simply using it for guidance). Some of the commonly-referenced ones are:
It’s worth pointing out that, although useful, none of these are required reading for ISO/IEC 20000 so if you are limited in time and budget, ISO/IEC 20000 Part 2 is still your best bet.
There’s no obligation to go for certification to ISO/IEC 20000 and many organizations choose to simply use the standard as a set of good practice principles to guide them along the way to managing their IT services effectively.
After the foreword (which mainly describes the differences between the 2005 and the 2011 versions) and the introduction (which sets out the principles of the Plan-Do-Check-Act cycle), the standard consists of a total of nine sections. Sections 1 to 3 don’t contain any requirements and so an organization wouldn’t be audited against those. They are worth a read however as they provide some useful background to what the standard is about and how it should be interpreted.
Sections 4 to 9 set out the requirements of the standard. Requirements are often referred to as the “shalls” of the standard because that is the word usually used by ISO to show that what is being stated is compulsory if an organization is to be compliant. So the (internal and external) auditing process is basically an exercise to check whether all of the requirements are being met by the organization. Requirements are not optional and if they are not being met then a “non-conformity” will be raised by the auditor and the organization will need to address it to gain or keep their certification to the standard (see the section on auditing later in this guide).
In order to show that the requirements are being met the auditor will need to see some evidence. This can take many forms and is defined as a combination of “documents” (evidence of intention such as policies, processes and procedures) and “records” (evidence that something has been done). This is often a major culture change in many organizations. Just doing something is no longer enough; you must be able to prove that you did something. This means keeping records in areas you maybe don’t keep records at the moment, a good example often being meeting minutes. Meetings happen and things are discussed and decisions are made but the auditor won’t just accept your word for it. The auditor will want to see the minutes. Other examples could be training records – who was trained to do what and when? Or service continuity tests – what was tested, by whom, when and what was the outcome?
If all of this sounds rather onerous, then it’s true, it can mean more work at least in the short term. But doing IT service management according to the ISO/IEC 20000 standard is about doing it right. You will be taking advantage of the knowledge of a wide variety of experienced people who have come together to define the best way to create an SMS that works; people from all over the world in a wide variety of industries and organizations large and small.
From our experience what often happens during the process of implementing an international standard such as ISO/IEC 20000 is that initially you will put things in place just because the standard says you should. Some of the requirements may seem unnecessary, over the top or excessively bureaucratic. But gradually, as times goes by and your SMS becomes more established you will start to see why they are included and the difference it makes to your organization and the delivery of your services. Soon you will begin to implement procedures and methods that go further than the requirements of the standard because you can see that they would be useful and will provide better service for your organization. You’ll start to see that it’s about becoming more proactive in everything you do and how in the long term this reduces the amount of reactive activities necessary. In simple terms, you’ll start to “get it” (but be patient, it can take a while!).
But in the meantime, you’ll need to create some of those “documents and records”. And that’s where the CertiKit ISO/IEC 20000 Toolkit comes in…