File 9
File 9
File 9
White paper
Many people fear that this is another bureaucratic nightmare that will deliver no value. And of
course, just like with ISO 9000, there is a risk that not the concept of driving for quality is
embraced but just a paper reflection of it, leading to an organization that thinks only about ISO
when its time for the next audit. But when applied properly it can indeed add substantial value
for businesses, especially in information intensive industries.
This white paper describes not only how to implement ISO/IEC 20000 in your organization in
a way that it actually adds measurable financial value, but also what it is about and how it
relates to some of those other popular models in the market space.
D a r e t o c h a l l e n g e
ISO/IEC 20000
Published by the International Organization for Standardization (ISO) and International
Electrotechnical Commission (IEC), ISO/IEC 20000:2005 is the first worldwide quality standard
specifically aimed at IT support and maintenance organizations. It describes an integrated set of
processes and management approach for the effective delivery of IT services to the internal or
external customer.
ISO/IEC 20000 is basically a marriage between two best practices: ITIL and ISO's management
system standards ISO 9001:2000 and ISO 14001:2004. ITIL stands for Information Technology
Infrastructure Library and is a set of processes that cooperate to ensure the quality of IT services,
according to the quality levels agreed with the customer.
The main differences between ITIL version 3 and ISO 20000:2005 are the quality management
system and the possibility of certification by and independent auditor. These and other properties
make it an interesting concept for any internal or external service provider providing application or
infrastructure management services to its clients.
ISO 20000 provides, like ITIL, a framework to shift from a ‘technology push’ way of looking
Business
at IT service delivery to a more ‘business pull’ approach. Today IT organizations are still
pull
mostly organized in functional areas (or stove pipes) like network management, application
management, application development and so on. This ensures an efficient way of working but
defining IT services this way is not aligned with the perception of an end-user selling mortgages
as he or she could not care less about what a WAN backbone or OS390 mainframe is.
The end user is interested in the availability of those automated information processing
functionalities necessary to execute his or her job, for instance selling mortgages. It is up to the IT
organization to provide this requirement as a ‘black box’, requiring end-to-end management of the
whole IT-chain starting with client business application and desktop to LAN to WAN to datacenter
LAN to application server to database server (figure below).
ISO 20000 provides the IT organization with a set of coherent service management processes
and quality a management system to manage the full service life cycle of an IT service from the
end-users perspective.
Datab Datab
as e a se
Classic functional Applic Applic
ation ation
service orientation
ent
Portal
en t
Portal
em
gem
g
ana
ana
lM
lM
Are ent
eve
Are t
eve
nal men
nal e m
eL
ctio nag
as
eL
ctio age
vic
as
vic
Fun e Ma
Ser
Fun Man
Ser
Comm
ng
ent
nge
Comm
C ha
ent
unica
gem
C ha
unica
gem
tions tions
ana
ana
mM
mM
ble
ble
Pro
Pro
Comm Comm
unic unic
provid ations provid ations
er er
Servic Servic
e Desk e Desk
—2—
Where does ISO 20000 come from?
The roots of the ISO/IEC 20000:2005 standard published in December 2005 go back as far
as 1995 when the British Standards Institute (BSI) published a document named Code of
Practice for Service Management, providing IT managers with guidelines on managing the
support and maintenance of IT services. This guide was followed in 2000 by the first release
of the British Standard 15000 named BS15000-1:2000 Part 1, Specification for Service
Management.
The ISO 9000 family of standards listed below has been developed to assist organizations, of
all types and sizes to implement and operate effective quality management systems (ISO
9000:2005).
· ISO 9000 describes fundamentals of quality management systems and specifies the
terminology for quality management systems.
· ISO 9001 specifies requirements for a quality management system where an organization
needs to demonstrate its ability to provide products that fulfill the customers and applicable
regulatory requirements and aims to enhance customer satisfaction.
· ISO 9004 provides guidelines that consider both the effectiveness and efficiency of the
quality management system. The aim of this standard is improvement of the performance of
the organization and satisfaction of customers and other interested parties.
· ISO 19011 provides guidance on auditing quality and environmental management systems.
Together they form a coherent set of quality management system standards being adopted by
companies all over the world.
The standard was developed in close cooperation by the BSI, the Central Computer and
Telecommunications Agency (CCTA)1 and IT Service Management Forum (itSMF). Part 1 was
reissued in 2002 and followed by Part 2 in 2003 leading to a documentation set that consists
today of four publications:
· BS 15000-1: 2002 Part 1: Specification for Service Management
· BS 15000-2: 2003 Part 2: Code of Practice for Service Management
· BIP 0005: 2004 IT Service Management: A Manager’s Guide
· PD0015: 2002 IT Service Management: Self-assessment Workbook
The first two documents form the actual BS 15000 standard, while the other two provide
additional information and assistance in its application within IT organizations.
BS 15000 is not the only standard published by BSI and later on adopted by ISO. The security
standard BS 77992 , first published in 1995 preceded it some five years ago by being adopted
as ISO/IEC 17799 (eventually to be renamed ISO/IEC 27001).
—3—
ISO/IEC 20000 integrates, like ISO/IEC 17799 and BS 15000, the process-based approach
of ISO's management system standards ISO 9001:2000 and ISO 14001:2004, aimed at
enabling organizations to engage in a continuous improvement cycle, based on Deming’s Plan-
Do-Check-Act (PDCA) cycle. Though continuous improvement is also an aim of ITIL, ISO/IEC
20000 provides more specific guidelines on quality management.
Management responsibility
Management system Document requirements,
Competence, awareness & training
Planning & Implementation (plan, Implement, Monitor, Improve) (PDCA)
Similar to ISO/IEC 17799 consists ISO/IEC 20000:2005 of two parts and has the general title
of Information Technology - Service management.
Both part 1 and 2 of BS15000 are replaced by the ISO/IEC standard and certification is only
possible on the ISO 20000 standard3 .
—4—
When do you use ISO 20000?
There are several business issues where ISO 20000 can prove its value, but it will
ISO 9000 to
only do so if it is applied properly. The standard should be applied as a means, like
generic
COBIT, ITIL or Six Sigma to achieve the strategic objectives of the organization.
Certification should therefore not be seen as a goal in itself, but as a logical activity part of the
continuous journey for higher quality and productivity figures. But sometimes the choice whether
or not to certify is not left to the IT organization to make.
IT organizations are, directly or indirectly, funded by its customers and especially in information
intensive businesses certification against ISO frequently is a mandatory requirement. The rational
behind this is the direct link between the quality of IT services and the quality of end products and
services produced by the customers’ business processes.
The typical business domain is familiar with ISO 9000 as this in general is the standard the IT
organization has to get certified against. However ISO9000 has several drawbacks. One drawback
is the fact that it is a generic standard, another being the risk of becoming a resource hungry and
bureaucratic nightmare. This last drawback is also applicable to ISO 20000 if it is applied
incorrectly.
There have been earlier efforts to overcome the drawback of ISO 9000 being too generic by the
JTC 1 team of ISO by creating ISO9000-3, TL 9000, ISO 15288, and more than 500 other IT
related ISO documents.
ISO9000-3 is a guidance document which explains how ISO 9001 should be interpreted within
the software industry while TL 9000:2001 is also based on ISO 9000 and 9001, but focused on
telecommunication. ISO 15288 provides guidelines on improving the quality of the IT system
lifecycle. ITIL and ISO 20000 in comparison focus on aligning IT services to the business needs
and thus focus on the lifecycle of the IT service as a whole. But as systems together - from an end
to end perspective - make up a service there is no reason why both standards cannot coexist. They
both have a different focus.
In the end it is up to IT management to get the message across to their customers that certification
against ISO 20000 and one or more other IT specific ISO standards adds more business value
than ISO 9000 and 9001.
From the beginning ITIL has been publicly available. This means that any organization can use
the framework described in the books. Because of this the IT Infrastructure Library guidance
has been used by a diverse range of organizations, such as local and central government,
energy, public utilities, retail, finance, and manufacturing. Very large organizations, very small
organizations and everything in between have implemented ITIL processes.
Being a framework, ITIL describes the contours of organizing Service Management. The
models show the goals, general activities, inputs and outputs of the various processes, which
can be incorporated within IT organizations. ITIL does not cast in stone every action that
should be done on a day-to-day basis because that is something which will differ from
organization to organization. Instead it focuses on best practice that can be utilized in different
ways according to different needs.
—5—
Another topic high on today’s IT managers’ agenda is legislative compliance and
Legislative
again ISO 20000 can be of use when properly applied. Misconduct of WorldCom,
compliance
Enron and others drove the US government to create additional legislation, known as
the Sarbanes-Oxley Act (SOX or SOXA), followed by various similar laws throughout the world like
the 8th Directive in the European Union (EU). Basically SOX demands that all in the US publicly
traded companies leave an audit trail so all the information in their financial reports can be verified
and it requires codes of ethics for senior (financial) executives. Financial reports for external
stakeholders became, like airplanes, objects that have to be checked and double checked to make
sure they are safe to use.
The creation, mutation, storage and transportation of financial reports is largely automated
nowadays, making the IT function one of the aspects within the scope of SOX. To ensure only
reliable financial data makes it into reports, proper control mechanisms have to be created
ensuring confidentiality and integrity of financial data, or any other data that influences the financial
results.
Financial figures are the outcome of decisions made in production, sales and other departments
and adequate control and audit mechanisms must therefore be applied to these IT systems also.
In short: the maturity of planning and control of the whole IT function has to be assessed and the
outcome has to be translated in an improvement plan. It is here that ISO 20000 can be of use as
it supports legislative compliance by:
· Providing a framework enabling a high level of operational IT control, in contrast to COBIT which
focuses more on strategic and tactical controls and processes (figure below);
· Having mature key processes like change, configuration, security and incident management;
· Leaving an auditable documentation trail of among others changes, incidents, CI’s and security
issues;
· Requiring regular auditing of the IT organization by internal and external auditors.
The two examples briefly discussed above are just the tip of the iceberg regarding the business
issues that can benefit from applying (parts of) ISO 20000. Other examples are improved
business-IT alignment by implementing cross-functional customer oriented processes and
improved capabilities of managing external service suppliers (ESPs) providing outsourced IT
services.
—6—
High level mapping of popular IT frameworks
ISO 20000 is partially founded on the best practice ITIL but takes it a step further.
More than best
One of the drawbacks of ITIL is its lack of an objective baseline to benchmark
practice ITIL
against. This is now partially tackled by the ISO 20000 standard. The lack of a
baseline resulted in many ESPs claiming they were ‘ITIL compliant’ without any norm that
defines what this compliancy actually means. This was very confusing for customers looking
for service providers that use sound service management concepts to manage their IT. But
now customers and IT organizations had a clear and transparent standard to hold on to: ISO
20000 certification.
Besides certification of organizations, itSMF also developed exams allowing individuals to take
training courses and examinations that lead to two certificates: the ISO 20000 Auditor Certificate
and ISO 20000 Consultant Certificate. Course providers seeking to add these courses to their
portfolio have to get accredited by itSMF before they are allowed to conduct classes.
—7—
Passing an audit by a RCB requires the IT organization to demonstrate that it has
Management
management control of all of the processes defined within the ISO 20000
control
standard. Within this context ‘management control’ of a process consists of:
· Knowledge and control of inputs related to the service that is delivered to the customers of
the IT organization, for instance resources, documentation, contracts with external suppliers;
· Knowledge, use and interpretation of the outputs that the IT organization produces, for
instance services and customer satisfaction (figure below);
· Definition and measurement of metrics to ensure an effective and efficient service delivery for
instance Key Performance Indicators (KPI’s) and Critical Success Factors (CSFs);
· Demonstration of objective evidence of accountability for process functionality in
conformance to the ISO 20000:2005 standard, basically meaning that the IT organization has
to prove to the auditor that it meets the requirements of ISO 20000:2005 part 1;
· Definition, measurement and review of process improvements is another key element of
control as it ensures that the organization gets into a cycle of continuous improvement of both
quality and business IT alignment.
Management services
PLAN
Customer Plan service Business
requirements Management satisfaction
Service Desk
Team and
People
Other Teams e.g. satisfaction
Security CHECK
IT Operations Monitor,measure
And review
Ensuring management control is however easier said than done. The next chapter will
therefore elaborate a bit more on the implementation side of ISO 20000 and how its value
becomes available to the organization.
—8—
How to get ISO 20000 to work for you
The ISO based approach to developing and implementing a quality management system
consist of several steps including the following:
Value from a customer perspective is created if the price the customer is willing to
IT business
pay is higher than the actual price (customer surplus). Business value from IT
value
organizations perspective is created if the received price is higher than the
accompanying cost. If the IT organization has a profit and loss responsibility, also an IT surplus
can be identified.
Value creation
Price
In other words, though ISO 20000, and all the other ISO standards for that matter, focus
primarily on quality improvement, it is imperative to make a translation to financial terms at a
certain point when the organization wants to justify the investment to its owners. A simple
example of such a performance indicator is the average resolution time of incidents. If it
decreases it results in less down time in the customer domain (= more revenue) with an added
bonus of less time spend by the IT organization on incident solving (= lower costs). Based on
a clear definition of the needs and expectations of the customers the IT organization can
determine which services it wants to develop and produce itself and what it wants to insource
from third parties. As soon as the needs and expectations of all stakeholders are identified,
measurable objectives can be set.
—9—
II. Establish quality policy and quality objectives
Defining objectives and steering towards them requires the IT organization to explicitly manage
its performance. Performance management within this context has a typical set-up. First, the
organization formulates a quality policy and long term quality related objectives. then the policy
and the corresponding objectives are translated into Key Performance Indicators (KPI) and
target levels. KPI’s form measurable indicators which give a quantitative view of the
organization’s performance. The KPI’s are often put on a scorecard, an instrument used for
communicating and analyzing the performance of the quality system. Third, the qualitative
indicators have to be mapped to financial indicators.
Financial
Perspective Higher
market value
Lower amount
Lower WACC paid to
accountants
More reliable
financial data
Internal IT Maturity of
Perspective management control
cycle at ‘level 3’
Compliance to
Security policy
Learning &
Growth
Persp.
Root cause analysis Yearly external
of every security audit and quarterly
incident internal audit
— 10 —
After the definition phase it is time to implement the proper processes and accountability
framework to ensure that the organization drives towards its objectives.
— 11 —
Moving from current to desired maturity level
Information ICT Commercial Strategy Finance Strategic Supplier Information ICT Commercial Strategy Finance Strategic Supplier
valueing HRM Architecture Sourcing Portfolio Mgnt. valueing HRM Architecture Sourcing Portfolio Mgnt.
Mgnt. Policy Mgnt. Policy
Relationship Management Relationship Management
Service Level Management Service Level Management
Service Service Planning Service Service Planning
Development Development
Security Financial Service Security Financial
Functional Demand Service Mgnt. Mgnt. Supply Contract Functional Demand Mgnt. Mgnt. Supply Contract
Mgnt. Mgnt. Build & Test Mgnt. Mgnt. Mgnt. Mgnt. Build & Test Mgnt. Mgnt.
Business Application Change Purchase Operations Business Application Change Purchase Operations
Support Mgnt. Incident Problem Mgnt. Support Mgnt. Incident Problem Mgnt.
Mgnt. Mgnt. Support Mgnt. Mgnt. Support
Mgnt. Mgnt.
Configuration Configuration
Mgnt. Mgnt.
Service Service
Operations Operations
Operations Release Operations Release
Mgnt. Mgnt. Mgnt. Mgnt.
improving
proactive
controlled
monitored
not identified
not performance
Consistent with the philosophy, skipping stages is not advisable. This is essential as each
subsequent stage is built on the foundation laid in the previous stage. The stages or maturity
levels are directly linked with the (perceived) added value of the process for the customer
(customer value).
VI. Applying these measures to determine the effectiveness and efficiency of each process
Several methodologies describe the activities required to implement performance
management, but in daily practice organizations find it hard to start the wheels turning. This is
because it takes more than measuring performance using Phi’s. It requires influencing human
behavior, management by example and implementation of robust coordination mechanisms to
evaluate the planned performance in a dynamic business context.
— 12 —
VII. Determine the means for preventing non-conformities and eliminating their causes
To motivate individuals and groups within the organization to show ‘desired behavior’
organizations must measure their output and reward them. Rewards can be in the form of
bonuses, prestige, greater decision rights, promotions and job security. Choosing indicators and
assigning them to individuals and groups is not without risk. Poor choice of metrics can lead to
conflicts or destroy organizational value by individuals trying to maximize their own gain (for
instance Enron and WorldCom).
Proper control mechanisms, auditing and separation of conflicting roles (for instance one
person responsible for and controlling the outcome of an indicator) are means to prevent non-
conformities and ensure follow up on any gaps identified. COBIT is strong in defining control
mechanisms. Can ISO 20000 add value by making a translation into operational controls?
Table 1 provides an example by mapping the ISO 20000 Service Level Management process
to related COBIT processes and control objectives.
ISO PROCESS AREA ISO 20000 PROCESS ISO 20000 REQUIREMENTS COBIT COBIT PROCESS
CONTROL
OBJECTIVE
Service Delivery Service Level SHALL record and agree of all services together 1,1 Service Level Agreement Framework
Processes Management with their individual service targets within SLAs
1,2 Aspects of service Level Agreement
SHALL document and agree all supporting service 1,1 Service Level Agreement Framework
agreements
Another useful activity to prevent non-conformities and to eliminate their causes is auditing.
Auditing can be done by both internal and external auditors. The ISO 20000 scheme requires
IT organizations to be audited by an RCB every three years, though the RCB may conduct a
Surveillance Audit every year to review progress on previous minor non-conformances and
identified areas of concern. These external audits may be supported by regular checks for non-
conformance and improvement areas by internal auditors. See box on Auditing on ISO 20000
for some guidelines on performing an internal ISO 20000 audit.
The auditing activity is one of the means to ensure the Plan-Do-Check-Act cycle becomes a
closed loop by discovering and enforced acting on any deviations of the defined plan and
objectives. This ensures continuous learning and improvement by individuals and the
organization as a whole.
— 13 —
Auditing on ISO 20000
An IT organization may seek certification of its entire organization or part of it. For certification,
it is not important whether the processes within the scope of the audit are performed entirely
by the IT organization itself or performed partly by other organizations. Certification of the
organization might therefore rely on evidence or contributions from other supplier
organizations.
Ulrich and Smallwood (2004) provide guidelines that organizations should follow when
auditing. These generic guidelines are completed with specific ISO 20000 audit requirements.
The steps are:
· Determine which part of the organization to audit. This can be a division, region or entire IT
organization. These organizational boundaries make up part of the audit scope, together with
the IT services and any outsourced process components (e.g. the performance data collection
elements of Capacity Management).
· Create the content of the audit. Keep the following guidelines in mind when creating an audit
template: focus on several key capabilities that add most value to the customers; recognize
that processes and capabilities depend on each other and how they influence each other and
use best-in-class companies to compare yourself. Set target levels accordingly.
· Gather data from multiple groups on current and desired capabilities. This information may be
collected by degrees.
° For a 90 degree assessment, collect data only from the management team of the unit
being audited. This method is quick but often deceptive as managers’ self-reports may be
biased.
° For 360 degree assessment, collect data from multiple delivery units within the IT
organization. Different units may tell different stories, and can provide insights that might
be missed otherwise.
° For 720 degree assessment, collect information, not only from inside the company, but also
from outside groups. These groups are important because it is in their eyes that the IT
organization’s intangible value matters most.
· Synthesize the data to identify the most critical capabilities requiring managerial attention.
Look for patterns in the data and focus management attention on no more than three
capabilities required to deliver the strategic quality related goals. Identify which capabilities
will have most impact and which will be easiest to improve.
· Put together an action plan with clear steps to take and measures to monitor, and assign a
team to the job of delivering and the critical capabilities. Actions might include coordinating
training, setting performance levels or investing in certain areas to leverage on existing
capabilities. Establish a timeframe of 90 days for the plans execution.
This observation is nevertheless too common even though the standard is all about
‘continuous’ improvement and learning at all levels of the organization. Any breaches of agreed
service levels should for example per definition lead to improvement initiatives. Similar should
the quality system have mechanisms to detect weak points in the way quality is planned and
controlled and take appropriate corrective and preventive action.
— 14 —
Only if the need for performance based continuous improvement is embraced at the highest
management level and these plans are also put into action, the organization is likely to enjoy
the benefits of ISO 2000. And action is definitely something else than creating bookshelves of
procedures and reports …
ISO 20000 certification means that IT organizations can prove they are deploying best
practices on IT service management, because an independent, external evaluation against the
formal standard has been carried out by an approved audit organization. The value of the
external auditor lays not so much in his mandate to grant the certificate. The independent
unbiased view of an external person should result in a list of valuable improvements the
organization can use to make the next step. This is where one RCB can differentiate from
another. They can all certify, but some just stamp organizations and others add value. This point
touches one of the other weak points of the certificate.
The value of the ISO 20000 label depends to a large extent on the strictness of RCBs granting
it. Opportunistic audit companies, looking for means to increase their short term revenue, may
deploy lax principles when examining the evidence provided, undermining the appreciation of
the certificate in the long run. Yet another reason to go for the true value of ISO 20000:
establishment of a customer focused, end-to-end managed IT organization.
But still there is the risk of ISO implementations, even performance based ones, resulting in
bureaucratic paper and number generating exercises, destroying value instead of creating it.
Dichte, Gagnon and Alexander (1993) provide some guidelines that might prevent this:
· Performance is the objective. Based on the business and IT strategy, specific (financial)
performance objectives need to be defined.
· Strategy and structure still matter. Knowledge, resources, accountability and decision making
framework, function profiles etera need to be in place as a supporting structure.
· Teams are key building blocks. Teams need clear performance targets and follow up
measurement to make sure they produce the desired output.
Focus is essential. Focus means trade-offs. Selecting only a limited number of key metrics
(value drivers, KSFs, KPIs) enables the organization to focus.
To ensure the required people take ownership and put the guidelines mentioned above into
action, changes in the incentive structure at all levels of the organization may be required to
stimulate continuous improvement initiatives. When done one properly this should result in
sustainable ISO 20000-based IT business value creation.
— 15 —
References:
1
Alexander, A., Dichter, S., Gagnon C., Memo to a CEO: leading organizational transformations, The
McKinsey Quarterly, No. 1, 1993.
2
BS 15000-1: 2002 Part 1: Specification for Service Management
3
BS 15000-2: 2003 Part 2: Code of Practice for Service Management
4
Herwaarden H., The IPW Maturity Modeltm and IPWtm, white paper Quint Wellington Redwood,
2005.
5
ISO 9000:2005, Quality Management systems, Fundamentals and vocabulary
6
ISO 9001: 2000, Quality Management systems, Requirements
7
ISO 20000:2005, Information Technology - Service management.
8
Kaplan R. S., Norton D. P., Strategy Maps, converting intangible assets into tangible outcomes,
Harvard Business School Press, 2004.
9
Ulrich D., Smallwood N., Capitalizing on Capabilities, Harvard Business School Press, 2004.
10
Vincent N., Eichelsheim E., Demystifying IT Business Value, Operationalisation of strategic IT themes
and measuring IT performance, white paper Quint Wellington Redwood, 2005.
11
Zielemans F., IT value preservation in the SOX-era, BS 15000 and IPWtm as means for effective
process control, white paper Quint Wellington Redwood, 2005.
Quint’s clients are leading organizations from all industries, that strongly depend on IT. They
rely on Quint to make a difference in achieving integrated management of their business and
IT domains, resulting in strategic advantage over their competitors. A strong commitment to
results in the execution of our advice is key to our “Dare to Challenge” identity.
© Copyright 2007, Quint Wellington Redwood. All rights reserved. No part of this publication may be reproduced, transfered and/or
shown to third parties without prior written consent of The Quint Wellington Redwood Group.'