Free Downloads

ISO 20000: 2011
ITIL 2011 MMap

Request for Change (RFC) Template

Major Incident Report Template

ISO 20000/ITIL Timeline poster


Sponsored Links



Apr 6, 2017

ISO/IEC 20000 documentation eco-system

Here is a full picture of the required documents and records in the ISO/IEC 20000 service management system. We thought it would be nice to have everything in one place. Depending on the number of your requests, we will be posting it as a printable PDF poster. Would you like that?

ISO/IEC 20000 documents and records

Documents belonging to process groups are described in previous posts:

  • Service management document system
  • Control process group documents
  • Resolution process group documents
  • Relationship process group documents
  • Service delivery process group documents
  • Design and transition of new or changed services documents
  • General requirements documents
  • May 23, 2015

    ISO/IEC 20000 SMS general requirements documents

    Which documents are required in SMS general requirements of ISO/IEC 20000? This chapter is about management involvment and adding quality control flavour to service management

    Management responsibility

    It is absolutely impossible to establish an elaborate service management system (SMS) without the active and unconditional support from the top management. The plan and the policy are just dead letters on paper (or screen) if they are not supported with the visible and constant vision-based commitment from the CEO and CIO. Therefore you have to ensure that the service management policy and plan are at least reviewed, approved and backed up by the top management.

    Other parties
    Most of service providers need to include other parties in order to complete some of the service management processes. It is very important that the provider can demonstrate the accountability and authority to manage these processes with an end-to-end visibility.

    SMS General requirements documents
    SMS General requirements documents
    Documentation management
    Two simple procedures have to be established here:
    • Control of documents
    • Control of records
    It is a fact that service providers implementing ISO20k usually have a quality management system (QMS) based on ISO9001, and this makes it easier. If the QMS and the SMS are of the similar scope, then just delegate control of these procedures to the QMS. If it is not the case, just write and implement these two simple procedures. Not a rocket science.

    Resource management
    Parts of resource management requirements can also be delegated to other quality systems. It is very difficult to run a service management system without some essential Human resources practices, so if you already have some, integrate them into your SMS.

    Establish and improve the SMS
    This part of the norm is aligned with Deming's wheel: Plan-Do-Check-Act. Therefore the documents covering this part are:
    • Service management plan
    • Continual improvement policy and procedure
    • Internal audit procedure and plans
    • Audit records
    • Nonconformities
    • Corrective/preventive actions
    • Management review
    • Improvement proposals

    May 5, 2015

    ISO/IEC 20000 Design and transition of new or changed services documents

    Change is hard. Service management people love the Status quo. Introducing new services in your system takes a lot of time, resources, knowledge. Even the slightest changes on an existing service can have adverse impact on the business process.

    Large changes are often done by the technology specialists from architecture or infrastructure departments. They usually don't care much about your service management methodologies and best practices, since they operate by their project management methodologies and frameworks. Some of the common infrastructure project management methodologies are "Nexting" (clicking the Next button until the server is installed), Run'n'gun and Quick'n'dirty. And voila - new service is ready for support.

    This mentality can create barriers between departments and impact the business in a very bad way.
    In order to overcome this, all stakeholders have to agree on set of rules for introducing new/changed service.

    So this is what chapter 5 is all about. Policy, procedural documents and records that cover activities during the service design and transition.


    Design and transition documents

    Policy will describe the general rules of the game. I personally like to add a New/Changed service procedure which will describe the workflow and responsibilities. This ensures that everyone knows what to expect, minimizing the blame management playground.

    Dec 21, 2014

    ISO/IEC 20000 Service delivery processes documents

    Service delivery process group means business. Back in the old days, it was half of ITIL V2 Service Management. This is a large and complex process group oriented towards the customer. Service delivery processes create a lot of documents and records. Where will you keep them?

    For additional info, please have a look at our previous posts:

    For all of these processes and their documents my general remarks are the same as before. Try to have a separate procedure document for each process, even if it is not required. Also, each process should have a policy, at least as a part of the procedure. These should give a quick general knowledge about the process to new employees and provide some structure to the SMS (Service Management System).

    Service delivery process group documents

    6.1 Service level management
    SLM is a key process in Service delivery, most of the other processes depend on it. There is a lot of communication with the customer during the process, and records should be retrievable either from the file system, specialized applications or document management system. All the changes on key documents should be done through the Change management process.

    6.2 Service reporting
    Reports are an important way of communication with the customer. Service provider has to keep records of all agreements about reporting with the customer. Optimal place to put report definitions would be the SLA, or a separate contract. For newly developed reports it would be enough to archive a customer's reply to your mail with the new report proposal.
    All the reports have to be defined according to the requirements, so they can be delivered even if the main assignees are unavailable. Thing vacations, flu seasons… Keep the report definitions in a neat report catalog, and insist on standardized reports as much as possible. If the customer requires something specific, evaluate the requirement, and if it is found valuable, include it in your standard report.

    6.3 Service continuity and availability management
    This process requires a lot of activity and resulting records. The auditor will probably like to see most of them. C&A management is a difficult and tedious process since it doesn't provide immediate business results, but it provides proof that you are serious about your business.

    6.4 Budgeting and accounting
    Here is one process that most of the IT people tend to neglect. If it's true your case too, turn to your finance department and go through the requirements with them. They will most probably be able to help you pull it off.

    6.5 Capacity management
    Capacity management has some very simple requirements and it is rather straightforward. If you are a managed services provider, or if you provide IT services to external customers, try to document and archive your communication with the customer about the capacity, since you have to take into account their resources too. The auditor might want you to prove that you take care of things over the fence.

    6.6 Information security
    If you are implementing ISO/IEC 20000, there is a chance you alredy certified for ISO/IEC 27001. Good for you, since you can redirect most or all of this process requirement to your ISMS (Information security management system). If not, follow the requirements and take care of the produced documents and records similar to the other recommendations from this series of posts.

    So, a bunch of complex processes. Don't be intimidated by them. Plan your implementation, one process at a time. In the beginning, it looks like a Mission impossible. After some time, you'll get used to it :)

    Dec 13, 2014

    ISO/IEC 20000 Relationship processes documentation

    Relationship processes add a human flavor to IT service management. There is a bit more freedom in defining documentation for Business relationship and Supplier management then in ITIL-descended Service Support and Delivery processes.

    In the next few posts I will focus on process specifics. For a more general info  about the SMS document system you can have a look at my previous posts:


    Relationship processes documentation in ISO/IEC 20000

    Business relationship management
    Business relationship management refocuses IT to the customer and his needs. Documents and records can be created in a variety of ways and saved according to your organization document management preference.
    A policy would be nice to have.
    Records serve as the proof that you are performing this process as required. We keep both the documents and records in our document management system, alternatively they can be placed on a shared folder system.

    Supplier management
    Supplier management forces the provider to consider the supplier's ability to stay within agreed SLA parameters.

    Same as the above, documents and records can be in the document management system or in shared folders.

    Dec 5, 2014

    ISO 20000 Resolution processes documentation

    Incident and Problem management, being the most matured processes in service management should be easy to define in ISO20k. But where do we put documents and records? What do we have to pay attention to?

    And here comes the infamous resolution process group. How to deal with these documents and records?

    Incident and service request management
    Procedure: As we know, in Incident management there are three separate procedures. If you are a small service support organization, all three of them can be in one document, as separate chapters.

    Policy is not required, but, as I said, we like to keep the standard form for all processes. Policy, again, can be a separate document or a part of above mentioned procedure document, preferably in the beginning. Your documents will sit in a Resolution process group folder on your file share, document management system or a service management wiki.

    Records: You probably have some kind of a ticketing app, or a full Service Desk application. Your Incident and Service request records will reside there.
    Same as before, you have to agree with the customers about some details, AND don't forget to keep these agreements in electronic or paper form. Your auditor will probably want to see them.


    Resolution process group in ISO/IEC 20000

    Problem management
    Procedure: As we know, the Problem management process can be fairly simple until you start to write it down. Please, try to have fun with this one as we did :)
    Policy: same as above.

    Records: Problem records, known errors, fixes and even reviews can be kept in your Service Desk application, or at least they can be linked to a document repository where they are saved in MS Word, PDF or other form.
    Reports about process effectiveness will be kept in your document repository or maybe somewhere where you maintain your meeting minutes documents.

    Nov 26, 2014

    ISO 20000 Control processes documentation

    Where should we keep our ISO 20k documents? Do we need a sophisticated document system, database or a printed library? Is a shared folders system enough? We asked ourself these and many more questions before we started implementing our service management system.

    Living with our ISO/IEC 20000 Service Management System for years, we gathered some experience and knowledge about it that I will be happy to share here. I would like to spend a few posts on the key parts of the system, with document and record management in focus.

    I have touched the theme in my previous post Service Management Document System, now let's elaborate it through specific process groups.

    Mind you, I am not aiming to describe specific ISO20k requirements, for this you have the standard( I am discussing the specific required and nice to have documents and their whereabouts.

    I will go through each process group and share my experience and opinions.

    Let's start with Control processes. It's in the heart of the ISO 20000 schematic and I really feel these processes deal with the vital documents and records for the service management. So it's a good place to start.

    Configuration management
    Policy: this document will define the main game rules focusing on general non-sequential process rules. After the initial creation, it will not change frequently. Policy can sometimes be a part of the

    Procedure document, but I prefer to put it in a separate document since I find it easier to maintain it.

    Procedure: a document which describes how Cis are tracked. It will also be rarely changed . Policy and procedure can be stored in shared folders or in a document management system. Configuration Item Type Definitions: we have to have these, and it helps if we have the ITSM tool to keep it in.

    CMDB records: if you have CMDB automated in a separate CMDB application or a piece of a ITSM tool, then you are all set, it's a way to go. Otherwise, you have to keep and maintain the knowledge about the customer's infrastructure in one ore (usually) more databases/document repositories. Basic CI info will probably be kept and maintained in your ticketing application. Less structured data can be kept in a separate database and documents. It is very important to keep these data up to date. This can be done by appointing ServiceDesk and/or account managers to be responsible for CI info accuracy. Bad CMDB data are the source of all evil in ITSM. Things to take special care of:

    Catalogue of services - services are Cis, and are usually composed of technical services, dependent of many Cis. Think carefully how will you maintain this data, and especially how deep will you go in granular description of Cis.

    Access data - passwords and accounts for accessing customer infrastructure are very sensitive and it has to conform to 6.6. Information security management.


    Control processes group in ISO/IEC 20000

    Change management
    Policy: again, a separate document or a part of a procedure document. A good practice would be to keep all important non-sequential data in a policy, like definitions, acronyms, interfaces. There are processes which don't specifically require a policy, but we like to create one for every process anyway. See if it works for you.

    Procedure: Only emergency procedure is required, but again it would be nice to have a separate document here defining all types of changes that we perform.

    Emergency change definition: it would be very useful if you can get this definition in a contract with the customer. In case of external customer, most of them insist on their own templates created by their legal, so this Emergency change definition agreement has to be done in a separate contract. Most of the auditors will accept a simple confirmation reply from a customer to your e-mail.

    Records: change schedules, RFCs, plans, analysis, reports are results of CAB meetings and other CM activities, and they can be kept either in your Service Desk tool or on any other tool you use for document management, in accordance with 4.3.2 Control of documents.

    Release and deployment management
    Release policy: same as the other policies. You have to keep a record about your agreement with the customer regarding this policy. It would be best if it is in your SLA but it can also be separate mail exchange or a document signed by the customer.

    Emergency release definition also has to be agreed with the customer.

    Records: plans, control documents, reports/analysis can be kept either in your Service Desk tool or on any other tool you use for document management, in accordance with 4.3.2 Control of documents.

    Jul 15, 2014

    Service Management Document System

    A few words about the service management document system. Whether you implement ITIL processes or a complete ISO/IEC 20000 service management system, your documents and records have to live somewhere. What is the best practice here?

    Let's keep the main thing the main thing. What document system is already at place in your organization? Use it. If your organization has reached the level of maturity to implement the Service Management System, odds are that you already have some kind of a sensible document management software.

    Introducing a new feature, no matter how seductive it may seem, will just prolong the learning curve and increase the resistance to the change. You don't want that. Try to stick with what you have. Implement the system with what you've got and let it live for some time. At the end of the first year, you will know what's missing, and you can take it from there.


    Graph: Service Management Document System
    Service Management Document System

    So, the only thing you have is a file share system? No sweat. It can work very well for you. You have implemented a Wiki in your company? Even better. Even with the hype of wiki fading away and reducing it below its measure, it can be utilized ideally for specific purposes. You have a real document management system, open source or from a renowned vendor? Cool, we will put it to work.

    Internal documents - when we talk about basic service management documents like policies, processes and procedures, these are the documents which won't change frequently. The ideal place for them is where you already keep this kind of documents. File share, document management system, collaboration applications, even paper versions might work. Of course, I'm not very serious about this last one :)

    What you have to have in mind with these documents is that:
    • they must be easily accessed by the authorized personnel,
    • they have to be found and identified quickly
    • approved by authorized people
    • only the last approved version should be accessible to the audience
    • versioning might come in handy.

    If you are kind of halfhearted here, my recommendation for document management here is the Wiki. Any kind of a decent open source or Wiki as a part of some document management system you have deployed. Documents open quickly in any browser, everything is indexable and searchable, and versioning is easily traceable. A bunch of advantages compensate well for the minor difficulties in text formatting.

    External documents - unstructured documents like customer and vendor agreements and contracts, legal documents, laws, norms, company and employee certificates etc. can be in paper or electronic form. For some of them the organization has to conform to legal requirements of keeping and archiving.
    For efficient service provider operation most of the paper documents shall be converted to electronic form and accessible to employees according to their user rights. This is where it gets a bit tricky. Not everyone should be able to see every bit of information.
    Financial parts of contracts should be accessible on a need to know basis. But other operational parts like contact lists, SLA parameters and operation rules should be availyble to everyone involved. How to deal with that?

    In the course of your service manageemnt thrench-line battle, you tend to produce a lot of records. These can be records in your application database or nonstructured records like periodic or on-demand reports. Records, as well as documents, should be legible, readily identifiable and retrievable. Also, they have to conform to requirements for retention and disposal.

    Application records- various service management applications will create records, probably in some kind of relational database.  By their nature, they are not too demanding for space, so they should be retained in operational state as long as needed, sometimes even longer.

    If your Service desk application has trouble indenxing and operating a large number of records, you will move all your older data into an archive (warehouse) database in order to improve the application speed. This way you can easily access your history data for reporting purposes, and keep a swift application operation. Incidents, problems and changes historycal data can come in very handy when you get a request for a report of all the incidents on Apache server since 2007, and their relation to problem records.

    Other, more practical use of long record retention would be very practical: disregarding the implemented Knowledge Management system, Service Desk analysts tend to search for existing incidents and problems in order to find a previous solution to an existing issue. 

    Non-structured records are created every day, these are mostly electronic form documents acompanying the operative or reactive actions in service management. E-mail messages, written documents, spreadsheets and screenshots tend to take a bit more space. Nevertheless, they should be kept according to regulatory and statutory requirements, or longer.

    The best location for them would be an indexed, full text searchable document management system, or at least a shared folder with an indexing option.

    In the end, a piece of advice: anything you can do to avoid the overhead is a good effort. Auditors are reasonable people most of the time. If you have any kind of basic document management system with versioning and approval workflows, you should defend the existing functionality without additional work.

    No use of keeping additional records, versioning tables, approval sheets and stuff if minimal requirements can be satisfied with what you got. Even if something is missing, the auditor will respect your willing not to fake the unnecessary records in order to keep your processes more efficient. Yeah, you'll get a nonconformity or two, a few improvement recommendations, but it will help you to move in the right direction. Have faith.

    Nov 23, 2013

    ISO/IEC 20000 and ITIL Timeline/History

    “History is a set of lies agreed upon.” - Napoleon Bonaparte
    “History will be kind to me for I intend to write it.” - Winston Churchill
    "We learn from experience that men never learn anything from experience.” - George Bernard Shaw

    After ITIL history and ISO/IEC 20000 history posts, this blog has received quite a few requests to create a parallel timeline for the two. We have finally made some time for it and the result is this fancy poster. It is nice to notice the interest of younger IT people for the historical evolution of ITIL and ISO 20k.

    ISO 20000 and ITIL History
    We did our best to collect and consolidate the timeline details from various relevant sources. I will be glad to correct it if someone from the audience notices any inconsistencies or new important events.

    Since this one looks OK, I made it available as a PDF poster.