Free Downloads

ISO 20000: 2011
ITIL 2011 MMap

Request for Change (RFC) Template

Major Incident Report Template

ISO 20000/ITIL Timeline poster


Sponsored Links



Apr 18, 2012

ISO 9000 - ISO/IEC 27001 - ISO/IEC 20000: How do They Fit Together?

With newly refreshed ISO/IEC 20000 alignment to ISO 9001 and ISO/IEC 27001, I thought it would be nice to have a set of more detailed information about relations between these three, all in one place.

Think, there is a great chance that a Service Provider aiming for 27001 or 20000 already implemented ISO 9001. And once we have two standards out of these three, how much more work is it to get the third one?

For new people here:

If a company already adopted a Quality Management mindset from 9001, then going either for 27001 (Information Security Management) or 20000 (Service Management) is a natural thing. Usually the order of implementation is determined by local market demand and governmental regulation of the core business (Financial organizations, Service providers, military...).

Implementation of ISO/IEC 27001 brings a significant market advantage to a Service Provider, since it is often a requirement in tenders, especially in European countries. It will make you care about security, both yours and of your customer. In the beginning it will feel a bit restraining, but for a good reason. It will significantly reduce risks of losing contracts due to information security reasons.

ISO/IEC 20000 requires a broad specter of implemented processes, but if you are a service providing organization with some experience and knowledge of ITIL (could it be otherwise?), then it shouldn't be a problem. It will only make you define neglected or less cared for aspects and Service Management processes.

Here is a simple diagram I use in presentations to communicate a quick win-win feeling to the audience:
Overlapping ISO 9001, 27001 and 20000
How ISO 9001, 27001 and 20000 overlap

And here is a table of more detailed relations.
ISO 9001 - ISO/IEC 27001 - ISO/IEC 20000 Mapping
ISO 9001 - ISO/IEC 27001 - ISO/IEC 20000 Mapping

This is still a working version of the table, but still pretty usable. Hope you enjoy it. If it displays too small for you when clicked on, you can copy it with rightclick and paste it to your favorite text or picture editor. Or, click here on my Google pages.

Apr 17, 2012

ISO/IEC 20000 Refreshed

As we all probably know, in February this year a new edition of ISO/IEC 20000-2 (Guidance on the application of service management systems) was published, following the last year's (April 15.) new edition of ISO/IEC 20000-1. Now that we have Requirements and Code of practice, we can talk more on what's new and how it fits in what we already have.

I would like to shortly outline main new moments that happened to ISO20k during last year.

First, as expected, standard is more mature and seasoned. After 5-6 years in production, bottlenecks and most of logic-defying points are corrected.

There are more requests (256 "SHALLs" vs. previous 170) but they are more reasonable, understandable and even somewhat less demanding then before.

Language is "internationalized", in a way that you don't have to be born in UK to understand most of it.

Also, terminology and content is made more compatible with ISO 9001 and ISO/IEC 27001 since these standards are likely to coexist in Service Support organizations.

ISO/IEC 20000 Process Schema
ISO/IEC 20000 Process Schema

Some changes reflect a shy alignment to ITIL 3, although the overall concept indicates major divorce from ITIL altogether. Prior to pre-release info, this was a subject of guesswork: is the new edition going to be aligned to ITIL V3? So we got our answer-a firm NO.  It would be difficult to align to ITIL's new 'I want to be all and encompass everything' philosophy. So ITIL is now more aligned to ISO20k then vice versa.

Additionally, ITIL is now lifecycle-oriented framework of best practices (or wannabe best :) and ISO20k is a process-oriented standard, so the intentions behind each one are basically different.

Clause 3 Terms and definitions now has 37 terms instead of 15 from previous edition. Two items are removed: service desk, and change record. Service Desk since it refers to a function, and ISO20K is process oriented with no other organizational references.  Change record probably to remove potential ambiguity with ISO9000 records.
  • Some additions to clause 3 are for additional compliance with ISO 9001: continual improvement, corrective and preventive action, customer, nonconformity etc.
  • Some other additions refer to ISO/IEC 27000 family: information security and information security.
  • Also a few are here to refer flirting with ITIL 3: service, service request, transition...
Previous clauses 3 Requirements for a management system and 4 Planning and implementing service management are now merged to 4 Service management system (SMS) general requirements. Introduction of SMS is the main indicator of alignment with ISO9000 (Quality Management System - QMS) and ISO/IEC27000 (Information Security Management System - ISMS).

ISO/IEC 20000 with number of SHALLs for every clausee
ISO/IEC 20000 with number of SHALLs for every clause

Former Incident management now became Incident and service request management, one of small concessions to ITIL 3.

A significant tribute to ITIL 3 is clause 5 Design and Transition of new or changed services. Which represents a serious chunk of 20k, but that's about it, if we are looking for an expansion of ITIL ISO20K love story.

There is no release module any more, and Release management is now in 9 Control processes, logically  together with it's sisters Change and Configuration management, now called Release and Deployment management, just to be sure everyone understands what is it all about.

Catalogue of services is not just a recommendation in part 2, it is required in clauses 4, 5 and 6.

Clause 4.2 Governance of processes operated by other parties is added in order to make SP demonstrate management of his external suppliers and internal business organizations which participate in service delivery.

These are the basic changes I've noticed. My opinion: ISO/IEC20000 goes in the right direction. Requirements are more mature and aligned with the real world. ISO20k is a very useful formal framework for service improvement, aligned with industry best practices. Especially when used in synergy with ISO 9000 and ISO/IEC 27000. If you are a serious service provider (as my company is), then 20000 is the way to go. It is good for you and your company too.

Apr 6, 2012

ITIL Continual Service Improvement

Continual Service Improvement
CSI is not strictly a lifecycle stage, since it spans through all four other stages. It is mainly a set of Quality Management skills put together to make better Strategy, Design, Transition and Operation. Therefore the main tool is Deming's circle (Plan-Do-Check-Act) together with Seven-step Improvement process.

Continual Service Improvement relies also on change management and capability improvement methodologies. Everything is oriented to align processes from Strategy to Operation, and thus comply to changing business requirements.

Purpose of ITIL Continual Service Improvement is to ensure IT Services alignment with business needs. This is  done via improvements to IT services through Strategy, Design, Transition and Operation stages. We want to improve effectiveness of service, process and cost.

I will quote these in a best effort to provide quality info under 'fair use' terms
  • Review, analyze, prioritize and make recommendations on improvement opportunities in each lifecycle stage
  • Review and analyze service level achievement
  • Identify and implement specific activities to improve IT service quality and improve the efficiency and effectiveness of the enabling processes
  • Improve cost effectiveness of delivering IT services without sacrificing customer satisfaction
  • Ensure applicable quality management methods are used to support continual improvement activities
  • Ensure that processes have clearly defined objectives and measurements that lead to actionable improvements
  • Understand what to measure, why it is being measured and what the successful outcome should be
  • Overall ITSM health
  • Alignment of Service Portfolio with changing business needs
  • Organization maturity and capability
  • Continual improvement of all aspects IT services and supporting assets
  • Continual service quality improvement
  • IT Services alignment to business needs
  • Cost effectiveness
  • Identification of improvement opportunities in all processes via monitoring and reporting
  • Identification of improvement opportunities org. Structures, resources, partners, technology, training and communications
Here are some Key principles:

CSI approach
It is a somewhat changed improvement approach from V2. here are steps and deliverables:
  • What is the vision? - Align with business vision, mission, goals and objectives
  • Where are we now? - Baseline assessments
  • Where do we want to be? - Measurable targets
  • How do we get there? - Service and process improvement
  • Did we get there? - Measurement and metrics
  • Feedback branch to beginning is How do we keep the momentum going? - Manage the implementation of improvement changes
ITIL Continual Service Improvement Mind Map
ITIL Continual Service Improvement Mind Map
Service Measurement
Why do we Measure?
  • To validate
  • To direct
  • To justify
  • To intervene
Baseline - current state of CI used as reference value for future comparisons

Vision to measurements:
  1. Vision
  2. Mission
  3. Goals
  4. Objectives
  5. CSF
  6. KPI
  7. Metrics
  8. Measurements
The seven-step improvement process
This is the only process in CSI, as title says it consists of seven steps, nicely mapped to a Deming's PDCA cycle and Knowledge management DIKW cycle. Picture is worth 1000 words. Enjoy:
CSI Seven-Step Improvement Process diagram
 CSI Seven-Step Improvement Process diagram

Apr 4, 2012

ITIL Service Operation

ITIL Service Operation
Finally! Service Operation is a real man's book. This is where it happens. Here we make money. All we do in Strategy, Design and Transition makes sense here. Service Provider does day-to-day activities of keeping the service available and customer happy.
If you are going to read any of the five books, my bet is that this will be the one. Since in the beginning we are all interested in consequences more than causes. 

To do everything necessary for service delivery at agreed levels.

  • Minimizing the adverse impact of service outages on business activities
  • Delivering and supporting the agreed services effectively and efficiently
  • Maintaining access to services for authorized customers (and no one else)

  • People
  • Processes (Service Management)
  • Technology
  • Services

  • Reduced outage duration and frequency
  • Operational results and data provided
  • Enforcement of security policy

ITIL Service Operation Mind Map
ITIL Service Operation Mind Map

Service Operation Processes:

Incident Management
Key process, one of the oldest Service Support processes. If you know anything about ITIL, odds are that you know Incident Management. It is in charge of restoring disrupted service as soon as possible.

Event Management
This process was added in V3 to address emerging use of monitoring tools in IT and describe the relation to Incident Management from V2.

Request Fulfilment
This is another offspring of the holly Incident Management, cause of many an internet forum discussion 'What is Request Fulfilment?" or likes.  Definition is simple: Request Fulfilment manages customer requests. Which by definition can be: requests for info or advice; for a Standard Change or for access to an IT Service. Simple. Have a look at article about password reset.

Problem Management
As opposed to Incident Management, Problem Management seeks underlying causes of one or more incidents and through lifecycle of known error-workaround-permanent fix,  strives to minimize the adverse impact of problems to the business process. Problem Management can be reactive and proactive.

Access Management
Another new one in V3. This is actually a process which spends a lot of Operations time - handling customer access rights . New users, approvals, identity statuses, logging and tracking, removal of rights.

Service Operation Functions:

Service Desk
The only function in V2, Service Desk is the single point of contact (SPOC) and an interface to a user for all communication with service support, all Operation and most of Transition processes. With accent to Incident Management, Request Fulfilment and Event Management.

Technical Management
Technical Management takes care of technology competencies. It identifies, develops and refines the knowledge needed to design, test, manage and improve the service. It also manages trainings and deployment of resources.

IT Operations Management
Operations Management does daily operational activities needed for IT Infrastructure management. It consists of Operations Control which performs routine operational tasks, and Facilities Management which manages physical environment.

Application Management
Application Management was a separate book in V2. It is responsible for managing Applications across their lifecycle (Requirements-Design-Build-Deploy-Operate-Optimize).

Apr 2, 2012

ITIL Service Transition

Service Transition Banner

Service Transition is a stage which gives most pain to the IT Service Provider. Transition (add new, change existing, retire old service) is a source of many service disruptions. So we want our transition of service to be planned, built, tested, evaluated and deployed in an organized and controlled manner.
To ensure that new or modified services are in conformance with business requirements, as defined in previous Strategy and Design stages, and that services which are no longer needed are properly retired.

  • Efficiently and effectively plan and manage service changes
  • Manage change risks
  • Release planned changes
  • Manage expectations on new or changed services
  • Manage accurate knowledge and info on changed services and assets

  • Better estimation of cost, timing, resource requirement and risks
  • Higher volumes of successful change
  • Reduce delays from unexpected clashes and dependencies
  • Reduced effort spent on managing test and pilot environments
  • Improved expectation setting for all stakeholders
  • Increased confidence that new or changed services can be delivered to specification without unexpectedly affecting other services or stakeholders
  • Ensure that new or changed services will be maintainable and cost- effective
  • Improved control of service assets and configurations.

Creating new and changing existing services, implementing new and changed services, service retirement. Plan-build-test-evaluate-deploy.

Key principles
  • Align service transition plans with the business needs
  • Implement all changes through transition
  • Adopt a common framework and standards
  • Maximize re-use of established processes and systems
  • Manage relationships with stakeholders
  • Manage systems for transfer of knowledge and decision support
  • Plan release packages
  • Proactively manage resources across transitions
ITIL V2011 Service Transition Mind Map
ITIL V2011 Service Transition Mind Map

Service Transition Processes:
Transition Planning and Support
Since Transition is so important, ITIL  defines the separate Transition Planning and Support process in order to manage and control changes and releases, from overall planning to specific transition resources management. The accent here is on standardization and best practices, managing of overall resources and helping with major changes and releases but not detailed planning of individual changes.
Change Management
Change Management is the key Transition process, and one of the key ITIL processes altogether. Since changes are the main cause of service disruptions, we want as much control of change as possible. In Change Management we ensure that all changes are recorded and evaluated. Authorized changes are prioritized, planned, tested, implemented, documented and reviewed. This way number of failed and unauthorized changes is significantly reduced, as well as number of resulting incidents and problems.
Service Asset & Configuration Management
This process was previously named Configuration Management and dealt with Configuration Management Database (CMDB). It looked and sounded too technical which scared off some new business-minded people in ITIL. In fact, Conf. Management was in charge of our knowledge of infrastructure: what do we have, where it is and how it works. To be more in spirit of the business aspect of this process, Asset management flavor was added, so now we follow lifecycle of IT assets from cradle to grave and actual info on this assets is available from all processes, any time.
Release and Deployment Management
Previous Release Management was the most difficult to explain in an "Elevator presentation", so deployment was added in order to enable Americans to get it quicker. It would be less confusing if it was called only Deployment management from the beginning. In a nutshell (or elevator :)) RDM deals with consequences of Change Management process: build, test and deployment of releases.
Service Validation and Testing
This one is a separate process since it is a discipline used throughout the lifecycle, mainly from Change and Release management. Service Validation and Testing will ensure that the service will deliver expected outcomes, and that it is 'fit for purpose' and 'fit for use' (Utility and Warranty, remember them from Strategy?).
Change Evaluation
This was 'Evaluation' in V3, and probably since no one knew what it relates to, they added 'Change' in 2011. So now we know it is a process which deals with evaluation of change. It is implemented to identify all predicted and unpredicted change effects. Smaller changes can be evaluated within Change Management, and for more significant changes (up to company to decide).  It is triggered before every approval point.
Knowledge Management
Knowledge Management was such a hype in 90's! Here in ITIL Service Transition, it is added as a nice to have process which is even in the foundations syllabus. General idea is to capture and manage knowledge as Service Provider's intellectual property. Methods are classic KM, I even recommend the reading since it is digest version of all I once knew about Knowledge Management.