By Lynda Cooper.
The 2nd edition of ISO/IEC 20000-1 was published in April 2011. During my work training or advising organizations on how to use ISO/IEC 20000, two of the areas that raise the most questions are application and governance of processes. These are covered in Clauses 1.2 and 4.2 of ISO/IEC 20000-1. These were both new Clauses in the 2011 edition of the standard. This blog aims to provide some explanation and guidance about these 2 Clauses
Application – Clause 1.2
Clause 1.2 of ISO/IEC 20000-1 is headed ‘application’. This sub-clause does not contain requirements i.e. SHALL statements that an auditor will assess for evidence. However, it is a very important part of the standard. Many users of ISO/IEC 20000-1 will only read Clauses 4 – 9 which contain the requirements or SHALL statements. As with all standards, the introduction and Clauses 1 – 3 are very important to position the standard and define the terms used. Many certification schemes will reference items from Clauses 1 – 3.
Clause 1.2 starts by stating that the standard can be applied to any type and size of service provider regardless of services delivered i.e. it can be applied to small or large, public or private, IT services or non-IT services, internal or external service providers.
It then clearly states that no exclusions are allowed when a service provider claims conformity to ISO/IEC 20000-1 i.e. in order to gain certification, a service provider must be able to demonstrate conformity to all of the requirements in Clauses 4 – 9.
It also explains that ISO/IEC 20000-1 is not a specification for products or tools although it can be used to support their development.
Clause 1.2 then goes on to discuss how conformity can be shown when other parties are involved in operating some or all of the requirements of processes in ISO/IEC 20000-1.
For Clause 4, service management system (SMS) general requirements, the service provider must show evidence of fulfilling all of the requirements themselves. They cannot outsource requirements in Clause 4 and rely on governance of processes operated by other parties. Imagine if you outsourced all of Clause 4, including the top management control, you would no longer own or be in control of your SMS! It is acceptable to have other parties doing some of the work of Clause 4 on your behalf e.g. supporting you to develop the service management plan, conducting internal audits on your behalf.
For Clauses 5 – 9, the simplest scenario is for the service provider to operate all of the processes themselves. However, this is often not the case and the Clause goes on to clarify when the standard can be applied when there is a small or large amount of outsourcing of the service management processes.
If the service provider has outsourced the majority of the requirements in Clauses 5 – 9, then the service provider is not applicable to demonstrate evidence of conformity. It may be possible to ask your supplier to achieve conformity to ISO/IEC 20000-1. Alternatively, another standard such as ISO 9001 may be more appropriate.
If the service provider has outsourced only a minority of the requirements of Clauses 5 – 9 and can demonstrate governance of processes operated by other parties for those processes (or parts of processes), then the service provider is applicable to show evidence to demonstrate conformity.
Governance of processes operated by other parties – Clause 4.2
There are 3 possible ‘other parties’:
- Suppliers – these are defined in ISO/IEC 20000-1 as external to the service provider’s organization and contracted to the service provider – see Clause 7.2, supplier management, for requirements to manage suppliers
- Internal groups – these are defined as in the same organization as the service provider but outside the scope of the SMS. There will be a documented agreement between the service provider and the internal group – see Clause 6.1, service level management, for requirements to manage internal groups
- Customers acting as suppliers – the customer can operate a process or part of a process e.g. the customer operates the 1st line service desk with some of the incident management process. Again there needs to be a documented agreement between the service provider and the customer – see Clause 6.1 for requirements to manage customers acting as a supplier.
The other parties can operate a process or part of a process. They can also provide a product, tool or service without operating any process or part of a process e.g. a supplier of laptops, service management toolset or network cabling service. Clause 4.2 only applies to those other parties who are operating a process or part of a process.
There are 4 requirements, which have been broken down further, for demonstrating governance of processes operated by other parties. It is important to remember that this is not asking for the service provider to be doing the activities themselves; what is the point of outsourcing if you do that?
The requirements are explained below:
– the service provider needs to demonstrate that they are accountable for the process or part of a process i.e. if something goes wrong with the process operated by the other party, it is the service provider who is accountable to the customer for putting it right and not the other party. The other party is accountable to the service provider for putting it right
- Control of definition of process and interfaces to other processes
– there are various ways that the service provider can do this – by providing a process description, by agreeing to the other party’s process description or by defining and agreeing a process description together
– it is important to include the interfaces to other processes, especially where these cross organizational boundaries e.g. if the other party is operating incident management and the service provider is operating problem management
- Authority to require adherence and compliance to the processes
– the service provider needs to have a method to ensure compliance to the agreed process e.g. the internal auditors also auditing the process operated by the other party
- Determining process performance
– the other party needs to allow the service provider to track the performance of the process. This could be through various methods e.g. reporting, direct access into a tool
- Controlling the planning and prioritization of process improvements
– the service provider does not have to identify the process improvements themselves although they can do this if some improvements are found from the other activities e.g. from an audit of the other party’s activities
– the service provider and the other party can review the suggested improvements together
– the service provider has the final decision on plans and priorities for the improvements.
Contracts and documented agreements can be used to set expectations with the other party for these requirements. Evidence can then be shown in the form of meeting minutes, improvement logs, reporting etc.
The most frequently asked question
Finally, the most frequently asked question I get asked for governance of processes:
Does the other party have to be certified to ISO/IEC 20000?
The simple answer is no. But they do need to be aware of your requirements and their part in helping you to fulfil them.
ISO/IEC 20000-3 provides further guidance on application and governance of processes operated by other parties.
Lynda Cooper, an independent consultant and trainer, is one of the first people in the world to hold the ITIL Master qualification. Lynda sits on the BSI committee for IT service management (ITSM) and is one of the authors of ISO/IEC 20000. Lynda sits on various ISO/IEC committees and is the project editor for ISO/IEC 20000-1 and ISO/IEC 90006.