ISO/IEC 20000:2011 - A Pocket Guide

2 Overview of ISO/IEC 20000

This chapter introduces ISO/IEC 20000. It outlines the structure of ISO/IEC 20000, its history, and its purpose; and explains the contributions and benefits of the standard to IT organizations.

2.1 The ISO/IEC 20000 Series

The core of the ISO/IEC 20000 standard consists of several documents:

1.   ISO/IEC 20000-1:2011 Service management system requirements. This is the formal specification of the standard. It describes the required activities, documents and records defined in 256 'shall' statements.

2.   ISO/IEC 20000-2 Guidance on the application of service management systems describes the best practices in detail and provides guidance to auditors and recommendations for service providers planning for service improvements defined in 'should' statements.

3.   ISO/IEC TR1 20000-3 Guidance on scope definition and applicability of ISO/IEC 20000-1 provides guidance on determining the scope of certification and the applicability of the standard.

4.   ISO/IEC TR 20000-4 Process Reference Model facilitates the development of a process assessment model that will be described in ISO/IEC TR 15504-8 Information Technology - Process Assessment.

5.   5. ISO/IEC TR 20000-5 Exemplar Implementation Plan for ISO/IEC 20000-1 provides guidance on the implementation of the standard's requirements.

Other parts of the standard are currently being planned.

More details of each document will be described in the upcoming chapters.

2.2 History of ISO/IEC 20000

The IT Infrastructure Library (ITIL) is accepted all over the world as a de facto reference for best practice processes in IT Service Management. Inherently, because ITIL is a framework and not a standard, showing compliance with ITIL is impossible for service providers2. This changed in the year 2000 when a formally documented standard became available. It was BSI (the British Standards Institution) who officially determined the requirements for the effective delivery of services to the business and its customers in a British Standard: BS 15000.

The first edition of BS 15000 was published in November 2000, based on an earlier publication - DISC PD0005: 1998 - the Code of Practice for IT Service Management. BS 15000-1:2002 became the second edition, which was the result of experience and feedback from early adopters of the first edition. The development of a certification strategy gave a major boost to the acceptance of BS 15000 as a formal standard.

On 15 December 2005, ISO, the International Organization for Standardization, accepted BS 15000 as an international ISO standard: ISO/IEC 20000:2005, the first edition of the standard.

There are two ways to create an ISO standard:

1.   A cooperative creation by involved countries, or

2.   The fast-track route based upon a national standard.

For the acceptation of this British Standard, ISO followed the fast-track route. Preceding its acceptance as an ISO standard, BS 15000 was already copied and accepted in the national standards bodies of Australia and South Africa.

More information about the ISO organization, its processes and procedures can be found in Chapter 3.

Besides ITIL, many IT Service Management frameworks are available. Some are public domain and freely available and others can be acquired at a fee or cost. Furthermore, several vendors have developed their own framework in support of their IT Service Management solutions and offerings. It is a misperception that ISO/IEC 20000 is solely based on ITIL or that the adoption of ITIL is a prerequisite to comply with the requirements of ISO/IEC 20000. A service provider is free to choose the IT Service Management framework, or a combination of frameworks, that it prefers in support of its endeavors to benefit from the standard. ITIL is not known for its strengths in areas like IT governance, project and program management, risk management, information security management, quality management, and business analysis. These are areas for which widely accepted complementary frameworks and standards exist, all contributing to becoming ISO/IEC 20000 certified as a service provider.

The first edition of the standard, ISO/IEC 20000:2005, in particular the Specification, ISO/IEC 20000-1:2005, was a slightly adapted version of BS 15000-1. The BS 15000 Code of Practice (BS 15000-2) was upgraded to ISO/IEC 20000-2 (Code of Practice) on December 15, 2005. In late 2011 or early 2012 the new edition is expected on this document.

ISO/IEC 20000-1:2005, the Specification, was the formal specification of the standard's initial release. It described the required activities defined in 170 'shall' statements.

Part Two of the standard, ISO/IEC 20000-2:2005, the Code of Practice, provides guidance and recommendations for the interpretation of the requirements of ISO/IEC 20000-1. It provides guidance to auditors and offers assistance to service providers who are planning service improvements. It lists guidelines and suggestions that service providers 'should' address when wishing to be audited against the ISO/IEC 20000-1 requirements and become certified. The Code of Practice is not part of the requirements. It supports the efforts to meet the requirements described in ISO/IEC 20000-1.

Three additional parts of the standard, parts 3, 4 and 5, have been released in 2009 and 2010 as described in section 2.1.

There are three parts of the standard that have yet to be released: ISO/IEC 20000-6, -7, and -8.

The diagram below depicts the relationship between part 1 and part 2 of the ISO/IEC 20000 standard and the many ITSM frameworks available in the market:

Figure 2.1 Relationship between ISO/IEC 20000 part 1 and 2 and ITSM frameworks

The second edition of the standard, ISO/IEC 20000-1:2011 Service management system requirements, was released on April 15, 2011. It describes the required activities defined in 256 'shall' statements. The reasons for publishing a new version of the standard were:

   All ISO standards must be reviewed every five years; this is an ISO requirement

   Comments deferred from the ISO/IEC 2000:2005 publication have been addressed in this new version

   Many improvements have been suggested over the years

   The Joint Technical Committee of ISO responsible for the standard has grown to more than 20 countries; this increase in popularity has resulted in many suggestions for improvements

   A closer alignment with ISO 9001, the Quality Management standard

   The publication of ITILv3 in 2007

   A closer alignment with ISO/IEC 27001, the Information Security Management standard

   A stronger emphasis of interfaces between processes

   Improved consistency of international ITSM terminology

The benefits of the new version of the standard are:

   Easier integration with Management Systems of standards such as ISO 9001 and ISO/IEC 27001

   Improved clarity of interpretation of requirements

   Improved clarity of terminology

   Increased quality, consistency, and productivity of service delivery due to the additional requirements of ISO/IEC 20000:2011 compared to the 2005 edition

More information about the main differences between the 2005 and the 2011 edition of the standard is addressed in Appendix B.

Transition for Certified Organizations

Organizations who are already certified and wish to move to the 2011 edition of the standard should discuss the timescales with their Registered Certification Body.

2.3 Purpose of ISO/IEC 20000

The purpose of ISO/IEC 20000 is to provide a common reference standard for any enterprise offering IT services to internal or external customers.

Given that communication plays an essential role in IT Service Management3, one of the most important goals of the standard is to create a common terminology for service providers, their suppliers and their customers.

The standard promotes the adoption of an integrated process approach for the management of IT services. With a high number of the standard's requirements referring to process integration or process interfaces, a strong emphasis is given to this "integrated process approach"4. By making process integration such high priority the standard inherently makes communication play a central role in enabling effective IT Service Management.

The standard's processes have been positioned in a process model, representing the minimal activities mandatory for quality IT Service Management - things that are common to and required by every service provider. ISO/IEC 20000 does not address local requirements or specific regulatory or statutory requirements, although the standard requires that these are considered in the service requirements.

ISO/IEC 20000 represents a set of minimum requirements to audit an organization against effective IT Service Management. The standard has enabled service providers globally to determine formal compliance to these IT Service...