File 9

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Service Management

White paper

ISO 20000 unveiled


How to derive added value from yet
another new standard

Implementing standards delivering business value


Legislative compliance and the continuous rat race for higher quality and lower cost are some
of the topics that keep the average IT manager from having a nine-to-five working day. This is
despite the availability of a multitude of models, approaches and best practices claiming to be
the silver bullet that your IT organization has been looking for all this time. Now there is ISO
claiming they have another definitive solution: ISO/IEC 20000.

Many people fear that this is another bureaucratic nightmare that will deliver no value. And of
course, just like with ISO 9000, there is a risk that not the concept of driving for quality is
embraced but just a paper reflection of it, leading to an organization that thinks only about ISO
when its time for the next audit. But when applied properly it can indeed add substantial value
for businesses, especially in information intensive industries.

This white paper describes not only how to implement ISO/IEC 20000 in your organization in
a way that it actually adds measurable financial value, but also what it is about and how it
relates to some of those other popular models in the market space.

D a r e t o c h a l l e n g e
ISO/IEC 20000
Published by the International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), ISO/IEC 20000:2005 is the first worldwide quality standard
specifically aimed at IT support and maintenance organizations. It describes an integrated set of
processes and management approach for the effective delivery of IT services to the internal or
external customer.

ISO/IEC 20000 is basically a marriage between two best practices: ITIL and ISO's management
system standards ISO 9001:2000 and ISO 14001:2004. ITIL stands for Information Technology
Infrastructure Library and is a set of processes that cooperate to ensure the quality of IT services,
according to the quality levels agreed with the customer.

The main differences between ITIL version 3 and ISO 20000:2005 are the quality management
system and the possibility of certification by and independent auditor. These and other properties
make it an interesting concept for any internal or external service provider providing application or
infrastructure management services to its clients.

ISO 20000 provides, like ITIL, a framework to shift from a ‘technology push’ way of looking
Business
at IT service delivery to a more ‘business pull’ approach. Today IT organizations are still
pull
mostly organized in functional areas (or stove pipes) like network management, application
management, application development and so on. This ensures an efficient way of working but
defining IT services this way is not aligned with the perception of an end-user selling mortgages
as he or she could not care less about what a WAN backbone or OS390 mainframe is.

The end user is interested in the availability of those automated information processing
functionalities necessary to execute his or her job, for instance selling mortgages. It is up to the IT
organization to provide this requirement as a ‘black box’, requiring end-to-end management of the
whole IT-chain starting with client business application and desktop to LAN to WAN to datacenter
LAN to application server to database server (figure below).

ISO 20000 provides the IT organization with a set of coherent service management processes
and quality a management system to manage the full service life cycle of an IT service from the
end-users perspective.

The transition from technical silos to end-to-end management

Datab Datab
as e a se
Classic functional Applic Applic
ation ation
service orientation
ent

Portal
en t

Portal
em

gem
g
ana

ana
lM

lM
Are ent
eve

Are t
eve

nal men
nal e m
eL

ctio nag
as

eL

ctio age
vic

as
vic
Fun e Ma
Ser

Fun Man
Ser

Comm
ng

ent

nge

Comm
C ha

ent

unica
gem

C ha

unica
gem

tions tions
ana

ana
mM

mM
ble

ble
Pro

Pro

Comm Comm
unic unic
provid ations provid ations
er er

Servic Servic
e Desk e Desk

—2—
Where does ISO 20000 come from?
The roots of the ISO/IEC 20000:2005 standard published in December 2005 go back as far
as 1995 when the British Standards Institute (BSI) published a document named Code of
Practice for Service Management, providing IT managers with guidelines on managing the
support and maintenance of IT services. This guide was followed in 2000 by the first release
of the British Standard 15000 named BS15000-1:2000 Part 1, Specification for Service
Management.

The ISO 9000 family


The background of ISO 9000 goes back as far as 1970 when for the first time international
guidelines for quality assurance and certification by a certification body were drawn up. Until
the Second World War the quality control was left to the buyer with hardly any quality control
by the supplier. This changed during the Second World War when suppliers started to
implement rudimentary quality control mechanisms. In 1987 the International Organization for
Standardization (ISO) published the ISO 9000 till ISO 9004 standards with the Comité
Europeèn de Normalization (CEN) acknowledging them as European standards naming them
EN 29000 until EN 29004.

The ISO 9000 family of standards listed below has been developed to assist organizations, of
all types and sizes to implement and operate effective quality management systems (ISO
9000:2005).
· ISO 9000 describes fundamentals of quality management systems and specifies the
terminology for quality management systems.
· ISO 9001 specifies requirements for a quality management system where an organization
needs to demonstrate its ability to provide products that fulfill the customers and applicable
regulatory requirements and aims to enhance customer satisfaction.
· ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the
quality management system. The aim of this standard is improvement of the performance of
the organization and satisfaction of customers and other interested parties.
· ISO 19011 provides guidance on auditing quality and environmental management systems.
Together they form a coherent set of quality management system standards being adopted by
companies all over the world.

The standard was developed in close cooperation by the BSI, the Central Computer and
Telecommunications Agency (CCTA)1 and IT Service Management Forum (itSMF). Part 1 was
reissued in 2002 and followed by Part 2 in 2003 leading to a documentation set that consists
today of four publications:
· BS 15000-1: 2002 Part 1: Specification for Service Management
· BS 15000-2: 2003 Part 2: Code of Practice for Service Management
· BIP 0005: 2004 IT Service Management: A Manager’s Guide
· PD0015: 2002 IT Service Management: Self-assessment Workbook

The first two documents form the actual BS 15000 standard, while the other two provide
additional information and assistance in its application within IT organizations.

BS 15000 is not the only standard published by BSI and later on adopted by ISO. The security
standard BS 77992 , first published in 1995 preceded it some five years ago by being adopted
as ISO/IEC 17799 (eventually to be renamed ISO/IEC 27001).

—3—
ISO/IEC 20000 integrates, like ISO/IEC 17799 and BS 15000, the process-based approach
of ISO's management system standards ISO 9001:2000 and ISO 14001:2004, aimed at
enabling organizations to engage in a continuous improvement cycle, based on Deming’s Plan-
Do-Check-Act (PDCA) cycle. Though continuous improvement is also an aim of ITIL, ISO/IEC
20000 provides more specific guidelines on quality management.

The ISO 20000 framework

Management responsibility
Management system Document requirements,
Competence, awareness & training
Planning & Implementation (plan, Implement, Monitor, Improve) (PDCA)

Planning new services Planning & Implementing new or changed services

Service Delivery Process


Service Reporting
IT Services Continuity, Capacity Mgmt,
Service Level Mgmt., Control Processes Availability Mgmt,
Budgeting & Accounting Configuration Mgmt. Information
for IT services Change Mgmt. Security Mgmt.

Release Processes Relationship Processes


Release Mgmt. Resolution Processes Business Relationship Mgmt.
Incident Mgmt. Supplier Mgmt.
Problem Mgmt.

Similar to ISO/IEC 17799 consists ISO/IEC 20000:2005 of two parts and has the general title
of Information Technology - Service management.

ISO/IEC 20000-1:2005 Part 1: Specification


The first part provides the minimum requirements for a mature IT Service Management (ITSM)
function and is relevant to those responsible for implementing, maintaining or auditing ITSM. It
is based on BS 15000-1:2002 and contains the policies that internal and external IT
organizations have to comply with if they want to be eligible for ISO/IEC 20000 certification.
The authority to certify is granted to independent auditors, the so called Registered
Certification Bodies (RCBs), which audit the IT organization on evidence of compliance.

ISO/IEC 20000-2:2005 Part 2: Code of practice


The second part represents an industry consensus on guidance to auditors and assistance to
IT organizations planning service improvements or to be audited against ISO/IEC 20000-
1:2005. Where the rules of part 1 are mandatory (‘Shalls’) to achieve certification, the rules of
part 2 are guidelines (‘Shoulds’) on implementing ITSM and should therefore be read in
conjunction with ISO/IEC 20000-1.

Both part 1 and 2 of BS15000 are replaced by the ISO/IEC standard and certification is only
possible on the ISO 20000 standard3 .

—4—
When do you use ISO 20000?
There are several business issues where ISO 20000 can prove its value, but it will
ISO 9000 to
only do so if it is applied properly. The standard should be applied as a means, like
generic
COBIT, ITIL or Six Sigma to achieve the strategic objectives of the organization.
Certification should therefore not be seen as a goal in itself, but as a logical activity part of the
continuous journey for higher quality and productivity figures. But sometimes the choice whether
or not to certify is not left to the IT organization to make.

IT organizations are, directly or indirectly, funded by its customers and especially in information
intensive businesses certification against ISO frequently is a mandatory requirement. The rational
behind this is the direct link between the quality of IT services and the quality of end products and
services produced by the customers’ business processes.

The typical business domain is familiar with ISO 9000 as this in general is the standard the IT
organization has to get certified against. However ISO9000 has several drawbacks. One drawback
is the fact that it is a generic standard, another being the risk of becoming a resource hungry and
bureaucratic nightmare. This last drawback is also applicable to ISO 20000 if it is applied
incorrectly.

There have been earlier efforts to overcome the drawback of ISO 9000 being too generic by the
JTC 1 team of ISO by creating ISO9000-3, TL 9000, ISO 15288, and more than 500 other IT
related ISO documents.

ISO9000-3 is a guidance document which explains how ISO 9001 should be interpreted within
the software industry while TL 9000:2001 is also based on ISO 9000 and 9001, but focused on
telecommunication. ISO 15288 provides guidelines on improving the quality of the IT system
lifecycle. ITIL and ISO 20000 in comparison focus on aligning IT services to the business needs
and thus focus on the lifecycle of the IT service as a whole. But as systems together - from an end
to end perspective - make up a service there is no reason why both standards cannot coexist. They
both have a different focus.

In the end it is up to IT management to get the message across to their customers that certification
against ISO 20000 and one or more other IT specific ISO standards adds more business value
than ISO 9000 and 9001.

The roots of ITIL


ITIL was originally a set of about 60 books developed in the late 1980's as a set of best
practices for IT by the CCTA (Central Communications and Telecom Agency) of the UK
government. ITIL has since then become a widely accepted base for running the business of
IT, specifically the support and maintenance of applications and infrastructure.

From the beginning ITIL has been publicly available. This means that any organization can use
the framework described in the books. Because of this the IT Infrastructure Library guidance
has been used by a diverse range of organizations, such as local and central government,
energy, public utilities, retail, finance, and manufacturing. Very large organizations, very small
organizations and everything in between have implemented ITIL processes.

Being a framework, ITIL describes the contours of organizing Service Management. The
models show the goals, general activities, inputs and outputs of the various processes, which
can be incorporated within IT organizations. ITIL does not cast in stone every action that
should be done on a day-to-day basis because that is something which will differ from
organization to organization. Instead it focuses on best practice that can be utilized in different
ways according to different needs.

—5—
Another topic high on today’s IT managers’ agenda is legislative compliance and
Legislative
again ISO 20000 can be of use when properly applied. Misconduct of WorldCom,
compliance
Enron and others drove the US government to create additional legislation, known as
the Sarbanes-Oxley Act (SOX or SOXA), followed by various similar laws throughout the world like
the 8th Directive in the European Union (EU). Basically SOX demands that all in the US publicly
traded companies leave an audit trail so all the information in their financial reports can be verified
and it requires codes of ethics for senior (financial) executives. Financial reports for external
stakeholders became, like airplanes, objects that have to be checked and double checked to make
sure they are safe to use.

The creation, mutation, storage and transportation of financial reports is largely automated
nowadays, making the IT function one of the aspects within the scope of SOX. To ensure only
reliable financial data makes it into reports, proper control mechanisms have to be created
ensuring confidentiality and integrity of financial data, or any other data that influences the financial
results.

Financial figures are the outcome of decisions made in production, sales and other departments
and adequate control and audit mechanisms must therefore be applied to these IT systems also.
In short: the maturity of planning and control of the whole IT function has to be assessed and the
outcome has to be translated in an improvement plan. It is here that ISO 20000 can be of use as
it supports legislative compliance by:
· Providing a framework enabling a high level of operational IT control, in contrast to COBIT which
focuses more on strategic and tactical controls and processes (figure below);
· Having mature key processes like change, configuration, security and incident management;
· Leaving an auditable documentation trail of among others changes, incidents, CI’s and security
issues;
· Requiring regular auditing of the IT organization by internal and external auditors.

The two examples briefly discussed above are just the tip of the iceberg regarding the business
issues that can benefit from applying (parts of) ISO 20000. Other examples are improved
business-IT alignment by implementing cross-functional customer oriented processes and
improved capabilities of managing external service suppliers (ESPs) providing outsourced IT
services.

—6—
High level mapping of popular IT frameworks

Strategy and objectives


COBIT

Measurment and control


CMM(i)
ISO 20000 PRINCE 2 or PMI
Activities

ISO 20000 is partially founded on the best practice ITIL but takes it a step further.
More than best
One of the drawbacks of ITIL is its lack of an objective baseline to benchmark
practice ITIL
against. This is now partially tackled by the ISO 20000 standard. The lack of a
baseline resulted in many ESPs claiming they were ‘ITIL compliant’ without any norm that
defines what this compliancy actually means. This was very confusing for customers looking
for service providers that use sound service management concepts to manage their IT. But
now customers and IT organizations had a clear and transparent standard to hold on to: ISO
20000 certification.

Company and individual certification


The ISO certification scheme originates, not surprisingly, from the BS 15000 scheme
developed by itSMF. owns and manages it, thus controlling the way organizations were audited
and certified against the BSI standard. Certification against the BS 15000 standard ended
however by December 5th 2005 when BS15000 was promoted to ISO 20000. All
organizations seeking certification since that date can do so only against ISO 20000 while
BS15000 certified organizations have till the 5th of June 2007 to migrate to ISO 20000.

Besides certification of organizations, itSMF also developed exams allowing individuals to take
training courses and examinations that lead to two certificates: the ISO 20000 Auditor Certificate
and ISO 20000 Consultant Certificate. Course providers seeking to add these courses to their
portfolio have to get accredited by itSMF before they are allowed to conduct classes.

IT organizations desiring certification have to go through the folllowing a formal certification


process:
· First the organization has to demonstrate to their own satisfaction that they have appropriate
evidence of conformance to the standard
· Then the organization has to obtain an outside view prior to the audit – either by an external
consultant or internal audit team
· The third and final step is arranging and participating in the formal audit by a Registered
Certification Body (RCB).

—7—
Passing an audit by a RCB requires the IT organization to demonstrate that it has
Management
management control of all of the processes defined within the ISO 20000
control
standard. Within this context ‘management control’ of a process consists of:
· Knowledge and control of inputs related to the service that is delivered to the customers of
the IT organization, for instance resources, documentation, contracts with external suppliers;
· Knowledge, use and interpretation of the outputs that the IT organization produces, for
instance services and customer satisfaction (figure below);
· Definition and measurement of metrics to ensure an effective and efficient service delivery for
instance Key Performance Indicators (KPI’s) and Critical Success Factors (CSFs);
· Demonstration of objective evidence of accountability for process functionality in
conformance to the ISO 20000:2005 standard, basically meaning that the IT organization has
to prove to the auditor that it meets the requirements of ISO 20000:2005 part 1;
· Definition, measurement and review of process improvements is another key element of
control as it ensures that the organization gets into a cycle of continuous improvement of both
quality and business IT alignment.

From input to PDCA driven transformation to output

Management services

Management Responsibility Business


Business
results
requirements

PLAN
Customer Plan service Business
requirements Management satisfaction

Request for new/ New or changed


Changed service service

Other processes ACT DO Other processes


e.g. business Continuous Implement e.g. business,
Supplier, cutomer Improvement service Mgnt Supplier, customer

Service Desk
Team and
People
Other Teams e.g. satisfaction
Security CHECK
IT Operations Monitor,measure
And review

Ensuring management control is however easier said than done. The next chapter will
therefore elaborate a bit more on the implementation side of ISO 20000 and how its value
becomes available to the organization.

—8—
How to get ISO 20000 to work for you
The ISO based approach to developing and implementing a quality management system
consist of several steps including the following:

I. Determine needs and expectations of customers


IT organizations need to clearly define their positioning towards the customer side,
concentrating on developing measurable value for the customer and other stakeholders. The
process of determining and measuring this ‘IT business value’ is the largest hurdle in creating
a value based ISO 20000 implementation. There is one key guiding principle that will support
you throughout this exercise though: in the end it is all about money.

Value from a customer perspective is created if the price the customer is willing to
IT business
pay is higher than the actual price (customer surplus). Business value from IT
value
organizations perspective is created if the received price is higher than the
accompanying cost. If the IT organization has a profit and loss responsibility, also an IT surplus
can be identified.

Value creation

Price customer is willing to pay

Value created by Customers:


Consumer Surplus Maximum Price willing to pay minus actual paid price

Price

Value created by the business


Business Surplus Net received price minus price resource services

Amount paid to employees Total


and IT charge Value
Created
Value created by internal IT organisation.
IT Surplus
Net received charge minus price IT resources
Costs: Amount paid to
IT employees and suppliers
Value created by Suppliers:
Both IT and non-IT. Actual expenditures plus
loss of marginal income due to sale from alternatives

Costs of suppliers (or opportunity costs)

Based on Kaplan and Norton, 2004

In other words, though ISO 20000, and all the other ISO standards for that matter, focus
primarily on quality improvement, it is imperative to make a translation to financial terms at a
certain point when the organization wants to justify the investment to its owners. A simple
example of such a performance indicator is the average resolution time of incidents. If it
decreases it results in less down time in the customer domain (= more revenue) with an added
bonus of less time spend by the IT organization on incident solving (= lower costs). Based on
a clear definition of the needs and expectations of the customers the IT organization can
determine which services it wants to develop and produce itself and what it wants to insource
from third parties. As soon as the needs and expectations of all stakeholders are identified,
measurable objectives can be set.

—9—
II. Establish quality policy and quality objectives
Defining objectives and steering towards them requires the IT organization to explicitly manage
its performance. Performance management within this context has a typical set-up. First, the
organization formulates a quality policy and long term quality related objectives. then the policy
and the corresponding objectives are translated into Key Performance Indicators (KPI) and
target levels. KPI’s form measurable indicators which give a quantitative view of the
organization’s performance. The KPI’s are often put on a scorecard, an instrument used for
communicating and analyzing the performance of the quality system. Third, the qualitative
indicators have to be mapped to financial indicators.

A methodology allowing an organization to relate qualitative KPI’s to the financial


Strategy
bottom line is the Strategy Maps from Kaplan and Norton (2004). The strategy maps
maps
provide the basis on how the organization expects to create value using ISO 20000 and
which indicators will measure its contribution (figure below).

Strategy maps mapping ISO 20000 to compliance

Balance Scorecard Strategy map

Theme: Legislative compliance and ISO 20000

Financial
Perspective Higher
market value

Lower amount
Lower WACC paid to
accountants

Customer Higher accuracy


Perspective financial reports

More reliable
financial data

Internal IT Maturity of
Perspective management control
cycle at ‘level 3’
Compliance to
Security policy

Learning &
Growth
Persp.
Root cause analysis Yearly external
of every security audit and quarterly
incident internal audit

— 10 —
After the definition phase it is time to implement the proper processes and accountability
framework to ensure that the organization drives towards its objectives.

III. Determine processes and responsibilities


To attain the quality objectives of the organization, it is necessary to determine certain
processes and responsibilities. This requires a combination of analytical skills and management
control experience as the strategy map and KPI’s now need to be linked to process activities
and accountabilities. Typical activities for this phase are:
· Assess the current maturity of the organization and to which extent parts of ISO 20000 have
already been implemented. If the IT organization is for example already ISO 9000:2005
certified, but has very immature ITIL Service Delivery processes, then most of the
implementation effort should be allocated to that area.
· Define a process and quality system blueprint for the organization based on the ISO 20000
framework, capturing the requirements defined by this standard.
· Define, based on the processes blueprint adequate Process Performance Indicators (PPIs)
and target levels (for instance reduction of time-to-market of changes of 5% in 6 months).
· Link logical sets of performance indicators and targets to responsibilities and accountabilities
of individuals within the organization.
· Ensure the availability of performance-information and discuss the results regularly at the
proper management level. Consider the use of dashboards and trend analysis to enhance
transparency and quality of decision making.

IV. Determine and provide resources


ISO 20000 describes like ITIL, only the end state of the processes and objectives and does
not provide a step by step approach to get there. This makes it difficult to determine the
adequate resources and plan the implementation in a way that it leverages in an optimal way
the building blocks that are already available within the organization.

A widely used method to overcome this drawback is using the Implementation of


IPW Maturity
Process Oriented Workflow Maturity Model (IPW MMtm). This is a framework which
Modeltm
provides an experience based and proven concept of implementing service
management concepts. IPW MM is derived from the same philosophy used in both the
Capability Maturity Model (CMM) and SPICE (ISO 15504). The model is very useful in
determining both current maturity and the ambition level, both in qualitative (got instance a
closed control loop for every process) and quantitative (e.g. incident reduction by 10%) terms.
The following figure shows a graphical representation of the current maturity of an
organization, plus its desired state in say, twelve months. For further background on IPW MM
please refer to the Quint whitepaper The IPW Maturity Modeltm and IPWtm.

— 11 —
Moving from current to desired maturity level

Current maturity ISO 20000

Information ICT Commercial Strategy Finance Strategic Supplier Information ICT Commercial Strategy Finance Strategic Supplier
valueing HRM Architecture Sourcing Portfolio Mgnt. valueing HRM Architecture Sourcing Portfolio Mgnt.
Mgnt. Policy Mgnt. Policy
Relationship Management Relationship Management
Service Level Management Service Level Management
Service Service Planning Service Service Planning
Development Development
Security Financial Service Security Financial
Functional Demand Service Mgnt. Mgnt. Supply Contract Functional Demand Mgnt. Mgnt. Supply Contract
Mgnt. Mgnt. Build & Test Mgnt. Mgnt. Mgnt. Mgnt. Build & Test Mgnt. Mgnt.

Service Continuity Availability Capacity Service Continuity Availability Capacity


Design Mgnt. Mgnt. Mgnt. Design Mgnt. Mgnt. Mgnt.

Business Application Change Purchase Operations Business Application Change Purchase Operations
Support Mgnt. Incident Problem Mgnt. Support Mgnt. Incident Problem Mgnt.
Mgnt. Mgnt. Support Mgnt. Mgnt. Support
Mgnt. Mgnt.

Configuration Configuration
Mgnt. Mgnt.
Service Service
Operations Operations
Operations Release Operations Release
Mgnt. Mgnt. Mgnt. Mgnt.

Service desk Service desk

improving
proactive
controlled
monitored
not identified
not performance

V. Establish methods to measure and determine the effectiveness of each process


Once again a metric-based model like IPW MM can show its value as for each ISO 20000
process a set of generic and process specific criteria are defined representing the value that
each process adds to the overall (financial) result. The model therefore makes improvement
projects manageable, both in terms of planning resources and setting logical, staged, ambitions
levels.

Consistent with the philosophy, skipping stages is not advisable. This is essential as each
subsequent stage is built on the foundation laid in the previous stage. The stages or maturity
levels are directly linked with the (perceived) added value of the process for the customer
(customer value).

VI. Applying these measures to determine the effectiveness and efficiency of each process
Several methodologies describe the activities required to implement performance
management, but in daily practice organizations find it hard to start the wheels turning. This is
because it takes more than measuring performance using Phi’s. It requires influencing human
behavior, management by example and implementation of robust coordination mechanisms to
evaluate the planned performance in a dynamic business context.

A critical success factor of any improvement in a service organization is therefore


Leadership
allocating adequate attention to long term development of leadership, management
of change and other soft skills. These more soft deliverables of an ISO 20000 implementation
are at least as important as having good procedure descriptions or tools, though the average
technology driven IT manager often lacks this insight.

— 12 —
VII. Determine the means for preventing non-conformities and eliminating their causes
To motivate individuals and groups within the organization to show ‘desired behavior’
organizations must measure their output and reward them. Rewards can be in the form of
bonuses, prestige, greater decision rights, promotions and job security. Choosing indicators and
assigning them to individuals and groups is not without risk. Poor choice of metrics can lead to
conflicts or destroy organizational value by individuals trying to maximize their own gain (for
instance Enron and WorldCom).

Proper control mechanisms, auditing and separation of conflicting roles (for instance one
person responsible for and controlling the outcome of an indicator) are means to prevent non-
conformities and ensure follow up on any gaps identified. COBIT is strong in defining control
mechanisms. Can ISO 20000 add value by making a translation into operational controls?
Table 1 provides an example by mapping the ISO 20000 Service Level Management process
to related COBIT processes and control objectives.

Mapping ISO 20000 requirements to COBIT controls

ISO PROCESS AREA ISO 20000 PROCESS ISO 20000 REQUIREMENTS COBIT COBIT PROCESS
CONTROL
OBJECTIVE

Service Delivery Service Level SHALL record and agree of all services together 1,1 Service Level Agreement Framework
Processes Management with their individual service targets within SLAs
1,2 Aspects of service Level Agreement
SHALL document and agree all supporting service 1,1 Service Level Agreement Framework
agreements

The SLAs SHALL be under change control not covered explicitly

SLs SHALL be monitored and reported against 1,3 Performance Procedures


targets
1,4 Monitoring & Reporting

SHALL be regular reviews of both SLAs and 1,5


services achievements
1,7 Review of Service Improvement
Program

Another useful activity to prevent non-conformities and to eliminate their causes is auditing.
Auditing can be done by both internal and external auditors. The ISO 20000 scheme requires
IT organizations to be audited by an RCB every three years, though the RCB may conduct a
Surveillance Audit every year to review progress on previous minor non-conformances and
identified areas of concern. These external audits may be supported by regular checks for non-
conformance and improvement areas by internal auditors. See box on Auditing on ISO 20000
for some guidelines on performing an internal ISO 20000 audit.

The auditing activity is one of the means to ensure the Plan-Do-Check-Act cycle becomes a
closed loop by discovering and enforced acting on any deviations of the defined plan and
objectives. This ensures continuous learning and improvement by individuals and the
organization as a whole.

— 13 —
Auditing on ISO 20000
An IT organization may seek certification of its entire organization or part of it. For certification,
it is not important whether the processes within the scope of the audit are performed entirely
by the IT organization itself or performed partly by other organizations. Certification of the
organization might therefore rely on evidence or contributions from other supplier
organizations.

Ulrich and Smallwood (2004) provide guidelines that organizations should follow when
auditing. These generic guidelines are completed with specific ISO 20000 audit requirements.
The steps are:
· Determine which part of the organization to audit. This can be a division, region or entire IT
organization. These organizational boundaries make up part of the audit scope, together with
the IT services and any outsourced process components (e.g. the performance data collection
elements of Capacity Management).
· Create the content of the audit. Keep the following guidelines in mind when creating an audit
template: focus on several key capabilities that add most value to the customers; recognize
that processes and capabilities depend on each other and how they influence each other and
use best-in-class companies to compare yourself. Set target levels accordingly.
· Gather data from multiple groups on current and desired capabilities. This information may be
collected by degrees.
° For a 90 degree assessment, collect data only from the management team of the unit
being audited. This method is quick but often deceptive as managers’ self-reports may be
biased.
° For 360 degree assessment, collect data from multiple delivery units within the IT
organization. Different units may tell different stories, and can provide insights that might
be missed otherwise.
° For 720 degree assessment, collect information, not only from inside the company, but also
from outside groups. These groups are important because it is in their eyes that the IT
organization’s intangible value matters most.
· Synthesize the data to identify the most critical capabilities requiring managerial attention.
Look for patterns in the data and focus management attention on no more than three
capabilities required to deliver the strategic quality related goals. Identify which capabilities
will have most impact and which will be easiest to improve.
· Put together an action plan with clear steps to take and measures to monitor, and assign a
team to the job of delivering and the critical capabilities. Actions might include coordinating
training, setting performance levels or investing in certain areas to leverage on existing
capabilities. Establish a timeframe of 90 days for the plans execution.

VIII. Establishing and applying a process for continuous improvement


IT organizations focusing too much on the stamp by the RCB instead of adopting the
philosophy behind the standard are likely to slip back into non-conformance after obtaining the
certificate as management attention is likely to shift to other priorities.

This observation is nevertheless too common even though the standard is all about
‘continuous’ improvement and learning at all levels of the organization. Any breaches of agreed
service levels should for example per definition lead to improvement initiatives. Similar should
the quality system have mechanisms to detect weak points in the way quality is planned and
controlled and take appropriate corrective and preventive action.

— 14 —
Only if the need for performance based continuous improvement is embraced at the highest
management level and these plans are also put into action, the organization is likely to enjoy
the benefits of ISO 2000. And action is definitely something else than creating bookshelves of
procedures and reports …

Observations and recommendations


A stamp is just a stamp. Like the perceived value by customers of the ISO 9000 stamp
devaluated when too many unworthy organizations got certified, the same risk is lurking for ISO
20000. For this reason IT organizations considering ISO 20000 should not drive just for
certification, but for a mind-shift within the people managing and producing the IT services. It
should be about creating a continuous performance based planning and control cycle and
stimulating individuals to display desired behavior. Driving for certification is risking passing the
audit and people going back to business-as-usual. This does not mean that the certification is
without value however. It should just be seen in the right perspective.

ISO 20000 certification means that IT organizations can prove they are deploying best
practices on IT service management, because an independent, external evaluation against the
formal standard has been carried out by an approved audit organization. The value of the
external auditor lays not so much in his mandate to grant the certificate. The independent
unbiased view of an external person should result in a list of valuable improvements the
organization can use to make the next step. This is where one RCB can differentiate from
another. They can all certify, but some just stamp organizations and others add value. This point
touches one of the other weak points of the certificate.

The value of the ISO 20000 label depends to a large extent on the strictness of RCBs granting
it. Opportunistic audit companies, looking for means to increase their short term revenue, may
deploy lax principles when examining the evidence provided, undermining the appreciation of
the certificate in the long run. Yet another reason to go for the true value of ISO 20000:
establishment of a customer focused, end-to-end managed IT organization.

But still there is the risk of ISO implementations, even performance based ones, resulting in
bureaucratic paper and number generating exercises, destroying value instead of creating it.
Dichte, Gagnon and Alexander (1993) provide some guidelines that might prevent this:
· Performance is the objective. Based on the business and IT strategy, specific (financial)
performance objectives need to be defined.
· Strategy and structure still matter. Knowledge, resources, accountability and decision making
framework, function profiles etera need to be in place as a supporting structure.
· Teams are key building blocks. Teams need clear performance targets and follow up
measurement to make sure they produce the desired output.
Focus is essential. Focus means trade-offs. Selecting only a limited number of key metrics
(value drivers, KSFs, KPIs) enables the organization to focus.

To ensure the required people take ownership and put the guidelines mentioned above into
action, changes in the incentive structure at all levels of the organization may be required to
stimulate continuous improvement initiatives. When done one properly this should result in
sustainable ISO 20000-based IT business value creation.

— 15 —
References:
1
Alexander, A., Dichter, S., Gagnon C., Memo to a CEO: leading organizational transformations, The
McKinsey Quarterly, No. 1, 1993.
2
BS 15000-1: 2002 Part 1: Specification for Service Management
3
BS 15000-2: 2003 Part 2: Code of Practice for Service Management
4
Herwaarden H., The IPW Maturity Modeltm and IPWtm, white paper Quint Wellington Redwood,
2005.
5
ISO 9000:2005, Quality Management systems, Fundamentals and vocabulary
6
ISO 9001: 2000, Quality Management systems, Requirements
7
ISO 20000:2005, Information Technology - Service management.
8
Kaplan R. S., Norton D. P., Strategy Maps, converting intangible assets into tangible outcomes,
Harvard Business School Press, 2004.
9
Ulrich D., Smallwood N., Capitalizing on Capabilities, Harvard Business School Press, 2004.
10
Vincent N., Eichelsheim E., Demystifying IT Business Value, Operationalisation of strategic IT themes
and measuring IT performance, white paper Quint Wellington Redwood, 2005.
11
Zielemans F., IT value preservation in the SOX-era, BS 15000 and IPWtm as means for effective
process control, white paper Quint Wellington Redwood, 2005.

Quint Wellington Redwood: specialist IT management queries

Quint Wellington Redwood – or ‘Quint’ – is a leading independent organization consultancy


firm entirely dedicated to resolving IT-related organizational challenges. We provide our
services all over the world, operating in more than 49 countries, spread across four continents.
Quint focuses on strategy, sourcing and service management, creating and implementing best
practices worldwide. Quint provides consultancy, measurement and education across the
Business-IT management domains.

Quint’s clients are leading organizations from all industries, that strongly depend on IT. They
rely on Quint to make a difference in achieving integrated management of their business and
IT domains, resulting in strategic advantage over their competitors. A strong commitment to
results in the execution of our advice is key to our “Dare to Challenge” identity.

We constantly challenge ourselves and our customers to dramatically improve performance,


and achieve greater added value. In doing so, we are not only reinventing our customers
organizations, but the consulting industry itself!

© Copyright 2007, Quint Wellington Redwood. All rights reserved. No part of this publication may be reproduced, transfered and/or
shown to third parties without prior written consent of The Quint Wellington Redwood Group.'

Q UINT W ELLINGTON R EDWOOD


info@quintgroup.com www.quintgroup.com

You might also like