An article by Mark Sykes, Principal Consultant at Fox IT. ‘ISO/IEC 20000 Certification, Three Steps To Certification, Step 1 – Planning’ explaining the mechanics of obtaining ISO/IEC 20000 certification. This is the first part of a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.
Welcome to this first in a trilogy of articles explaining the mechanics of obtaining ISO/IEC 20000 certification.
This specific article deals with the following aspects:
- What is ISO/IEC 20000?
- Why should an organisation seek certification?
- What is involved in obtaining certification?
- How long does it take?
- Where does an organisation start?
Part 2 of the trilogy will explain the merits and mechanism for performing an initial assessment in order to review the current state of the IT Organisation (ITO) and to develop a plan that will put the ITO in a position to be audited for certification.
The final part will focus on implementing a project plan and road map that will take the ITO on a journey of implementing and/or improving processes and practices that the Standard requires to be met, through generating the required evidence, and on to the final certification audit and beyond.
What is ISO/IEC 20000?
ISO/IEC 20000 is an international standard (the Standard) and consists of a number of requirements that an organisation can be formally audited against to show that the ITO is proficiently operating its service delivery.
Whilst organisations that operate service management can be assessed against ITIL®, this is a best practice framework that allows an organisation to be selective about which elements they do, and there is no minimum number of processes that must be performed – whereas ISO/IEC 20000 specifies a set of processes and an over-arching management framework that must be effectively performed.
Indeed, the Standard is very prescriptive in what it says an ITO must do; it defines a set of mandatory requirements that will be audited and for which evidence of achievement must be shown. This then provides a very clear picture that an organisation is operating their service delivery to a set ‘standard’, which also enables similar types of organisation to be compared against one another, for example when a service provider is responding to an invitation to tender – but more on that later!
ISO/IEC 20000 has its own management framework, called the service management system – otherwise known as the SMS. As can be seen in the diagram below, many of the processes are aligned to those that you will find in ITIL (e.g. capacity management, problem management, etc.) – but the Standard contains only a brief list of minimum (albeit mandatory) requirements; the ITIL books go into much more detail on operating the relevant processes, so where appropriate ITIL can provide a useful reference point for those starting out – but more of this in part 2 and part 3 of this trilogy.
The Standard also has some key content over and above that which is contained within the ITIL books (or at least only briefly touched upon), such as a process for the ‘Design and transition of new or changed services’, as well as things that often get forgotten about such as document management and resource management.
Putting the processes to one side, there is a key emphasis within the Standard of the over- arching management framework that supports the operation (and improvement) of the processes. Without this in place and the ability to show evidence of items such as ‘management commitment’, then an ITO will fail their audit irrespective of how well they are operating all of the required processes.
Why should an organisation seek certification?
Having worked on numerous ISO/IEC 20000 assignments (and also in its former guise of BS15000), it is always interesting to understand an organisation’s driver for seeking certification. Here is a flavour of what I have experienced:
- “We want to be the first one in the country to get it”
- “We want to maintain our status as the leading financial institution in the geographic region”
- “We want to be able to respond to a wider range of tender documents”
- “We’ve just won a contract that stipulates we need it”.
So a nice variety there, but the common themes are typically as follows:
- It is sometimes mandated as part of a contract or service being delivered (this is especially true of government contracts)
- t is often to be used as a marketing advantage (e.g. if two service providers are bidding for the same contract and one is certified and the other isn’t, the one with the certification may be in the driving seat!)
- It is also the case that sometimes it is just a case of staying one step ahead of the competition.
In certain cases, for change-averse ITOs, then it can be used as an internal driver for change. Sometimes telling people “you’ve got to do it because the Standard says you’ve got to do it and we won’t get the certificate if you don’t do it” can be the stick that is required to begin to transform how an ITO operates. Not that I would necessarily advocate this method of change, but it has been discussed with me before!
As a result of the very specific and prescriptive nature of ISO/IEC 20000, organisations can sometimes see it as being an alternative to implementing a framework such as ITIL. The five volumes of ITIL contain a huge amount of content and it can often provoke the question of “Where do I start?”, whereas the Standard can seem more palatable to those wanting a clearer definition of the minimum that they should be doing.
This can be particularly true for organisations not yet interested in wanting to obtain certification, but at the same time wanting to transform their service delivery capability. Actually starting with the Standard provides them with a narrower target to aim for, whilst at the same time putting them in an excellent position should the business strategy later change meaning that the organisation needs to seek certification at some point in the future.
What is involved in obtaining certification?
Once an organisation has decided to proceed down the road to ISO/IEC 20000 certification, the next step is to identify a specific scope within the ITO service delivery that will be assessed by the external auditors, otherwise known as the Registered Certification Body (RCB).
The scope could apply to a single service, or maybe a number of key services, to a single customer or multiple customers. I find a good starting here is to build a stakeholder map that looks at the services being delivered, the customers of those services (both internal and external) and the suppliers (both internal and external) involved in delivering and supporting those services. A service catalogue is obviously a key input into this activity if one is available.
Once an accurate picture has been built of the existing ITO service delivery then the most applicable scope can be determined – taking into account the ITO’s reasons for certification. For example, if an organisation wanted to use certification as a mechanism for gaining competitive advantage, then having the scope applicable to just their internal IT service provision may not be entirely appropriate.
It should also be noted that if the majority of activities that are performed in the delivery of services are outsourced then it is unlikely that an ITO would be suitable for certification. If certain aspects are outsourced (e.g. a Service Desk) then the ITO can still seek certification but will need to be able to show ‘management control’ of (for example) incident management. Where this is the case, then it is always advisable to seek expert advice to make sure that the scope of certification is going to be valid. Once a scope has been internally agreed then it will need to be formally ratified by the RCB that will perform the subsequent audit.
It is also worth noting that ISO/IEC 20000 is split into numerous parts, but parts 1 and 2 are the two key parts that I shall make reference to. Part 1 (latest revision published in 2011) provides the complete list of all the mandatory requirements that must be satisfied against the agreed scope in order to achieve certification. In total there are 403 requirements that need to be met, and for which evidence needs to be shown. A ‘non-conformity’ of just one of these will mean certification will not be attained.
Part 2 of the Standard (last revised in 2012) provides supporting guidance on what an ITO should be doing in order to satisfy the requirements in Part 1. It is worth highlighting at this stage that the Standard doesn’t dictate how an ITO should go about implementing or improving processes and practices in order to satisfy all of the stated requirements, although Part 2 and other supplementary elements of the Standard do provide some useful guidance.
How long does it take?
Depending on the maturity of the ITO, it can typically take somewhere between 12-18 months before an organisation is ready for the final audit to be undertaken by the RCB. The timeframe is, to a large extent, determined by the size of the scope and the number of required processes that are currently in active operation (or more so the ones that are not yet in operation!) and their individual maturity.
Also to be taken into consideration is that the auditors will be looking for 3-months’ worth of evidence to prove that the IT Organisation is doing what their processes, policies, procedures and work instructions say that they should be doing! It is (relatively speaking) easy to get all of the processes defined and documented, but it’s something else to get them all operating in sync and being able to show the evidence of that!
Where does an organisation start?
The obvious starting point is having a business case; and also defining the drivers, the organisation’s vision and objectives. It is often necessary to provide the key stakeholders with an awareness of ISO/IEC 20000 before they can decide whether or not the Standard is a good fit for the organisation. Once all that is in place then, as mentioned earlier, it’s a case of defining the scope of certification.
The next step following on from this is to assess the current state of operation of the ITO in relation to the scope, to identify which of the 403 requirements are being satisfied and which ones are ‘non-conformant’, and then deciding on the best ‘plan of attack’ based on any stipulated target timescales. More details on this will be covered in part 2.
Want to speak to a Fox IT consultant today? Contact us now →