it service management - .net framework · 2018. 11. 16. · iso/iec 20000-3, which provides...

IT Service Management

Self-assessment Workbook

Jenny Dugmore

First published in the UK in June 2000

Second edition published in the UK in November 2002

Third edition published in the UK in May 2006 by BSI

389 Chiswick High Road

London W4 4AL

Fourth edition published in the UK in 2012

by

ConnectSphere

Business and Technology Centre

Bessemer Drive

Stevenage

Hertfordshire SG1 2DX

UK

www.connectsphere.com

© ConnectSphere Limited

The moral right of the author has been asserted.

All rights reserved. Except as permitted under the Copyright, Designs and Patents Act 1988, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior permission in writing from the publisher.

Copyright waiver

The provisions of the copyright statement above apply to this document. However, ConnectSphere gives permission to the purchaser of this publication to print pages contained in this document for the following specific

purpose only.

In the course of compiling the information that will comprise the self-assessment workbook, pages may be copied of those questions that apply to systems or processes that are duplicated and which need to be recorded

separately. Copies may be made of the pages when notes need to be recorded during an on-site assessment and then transferred to the master copy of the self-assessment workbook. Copies shall not be made of the

document in its entirety, or for further uses within the organization.

While every care has been taken in developing and compiling this publication, ConnectSphere accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents

except to the extent that such liability may not be excluded in law.

Printed in Great Britain by ConnectSphere

ISBN 978-1-908772-02-2

http://www.connectsphere.com/

Contents

1 Introduction .................................................................................................................................. 1

1.1 This workbook – a fourth edition............................................................................................. 1

1.2 What is ISO/IEC 20000? ........................................................................................................ 1

1.3 Other guidance on ISO/IEC 20000 ......................................................................................... 2

1.4 Other sources of information .................................................................................................. 2

2 Using this workbook.................................................................................................................... 3

2.1 Introduction ............................................................................................................................ 3

2.2 What is self-assessment? ...................................................................................................... 3

2.3 Preparing for self-assessment ................................................................................................ 4

2.4 Organizations, groups and people in the 20000 series ........................................................... 5

2.5 Integrated processes and supply chains ................................................................................ 6

2.6 The workbook structure .......................................................................................................... 7

2.7 Implementation of processes ................................................................................................. 8

3 The practical details .................................................................................................................... 9

3.1 Printing and copyright ............................................................................................................ 9

3.2 ISO/IEC 20000-1 clauses ....................................................................................................... 9

3.3 The answers .......................................................................................................................... 9

3.4 References / comments ....................................................................................................... 10

3.5 Planning improvements ........................................................................................................ 10

4 Service management system general requirements ............................................................... 11

4.1 Management responsibility ................................................................................................... 11

4.2 Governance of processes operated by other parties ............................................................ 17

4.3 Documentation management ............................................................................................... 19

4.4 Resource management ........................................................................................................ 23

4.5 Establish [and improve] the SMS ......................................................................................... 27

5 Design and transition of new or changed services ................................................................. 39

5.1 General ................................................................................................................................ 39

5.2 Plan new or changed services ............................................................................................. 40

5.3 Design and development of new or changed services .......................................................... 42

5.4 Transition of new or changed services ................................................................................. 43

6 Service delivery processes ....................................................................................................... 45

6.1 Service level management ................................................................................................... 45

6.2 Service reporting .................................................................................................................. 49

6.3 Service continuity and availability management ................................................................... 51

6.4 Budgeting and accounting for services ................................................................................. 55

6.5 Capacity management ......................................................................................................... 57

6.6 Information security management ........................................................................................ 59

7 Relationship processes............................................................................................................. 63

7.1 Business relationship management...................................................................................... 63

7.2 Supplier management .......................................................................................................... 65

8 Resolution processes ............................................................................................................... 69

8.1 Incident and service request management ........................................................................... 69

8.2 Problem management .......................................................................................................... 73

9 Control processes ..................................................................................................................... 75

9.1 Configuration management .................................................................................................. 75

9.2 Change management .......................................................................................................... 79

9.3 Release and deployment management ................................................................................ 83

Annex A – Bibliography and other sources of information........................................................... 87

Jenny Dugmore

Jenny Dugmore has a background of operational line management and is now a service management consultant.

She is chair of the ISO group responsible for the ISO/IEC 20000 series. She is co-editor for ISO/IEC 20000-3, which provides guidance on the applicability and scope definition for ISO/IEC 20000-1: 2011. She is also co-editor of ISO/IEC 27013, which is guidance on the integrated implementation of ISO/IEC 27001, information security management, and ISO/IEC 20000-1.

She is involved in qualification and examination boards for ISO/IEC 20000-1 and is the UK Accreditation Service technical expert on service management.

Jenny was awarded the itSMF-UK Lifetime Achievement Award in 2005.

Foreword

If you have recognized the benefits of good quality service and wish to improve your service

management processes you will find this workbook valuable. It provides a cost effective assessment

method that will help you to baseline and benchmark your performance.

The workbook was developed by service management expert Jenny Dugmore, a specialist with

extensive practical experience of service management. Jenny led the development of the ISO/IEC

20000 series that has been proven to work across the real world. ISO/IEC 20000-1 is the first IT

service management standard to be produced by the International Organization for Standardization

(ISO). Originally published in 2005 the standard was updated in 2011. It is based on the knowledge

and experience gained by experts working in service management.

Building on experience with ISO/IEC 20000, Jenny has developed this workbook for internal and external service providers, both large and small. It offers a tried and tested approach for you to measure, review and act to identify and adopt improvements in service provision. It also provides clear direction and guidance that makes ISO/IEC 20000 certification more easily achievable.

In our experience, the self-assessment approach helps to engage your people through a shared

understanding of ‘where you are today’. This helps to motivate your people to develop and deliver

measureable improvements.

I wish you every success with your assessments and service management journey.

Shirley Lacy

Director

ConnectSphere

Self-assessment Control Sheet

Please complete sheet this at the end of the self-assessment. Background and advice on the best use of this workbook is provided in Sections 1–3. Details of individual interviews should be entered at the start of each of Sections 4–9. Additional information on related topics and supporting publications is provided in Annex A.

Service provider:_________________________________________________________________ Assessment scope:_______________________________________________________________ Assessors:______________________________________________________________________ Date completed:__________________________________________________________________ Signed:_________________________________________________________________________ Print name:______________________________________________________________________ Job title:________________________________________________________________________ IT Service Management Self-assessment Workbook

1

1 Introduction

1.1 This workbook – a fourth edition

This workbook was first published in 2000, based on the first edition of BS 15000, the first national standard on IT service management. The second edition of the workbook was published in 2002, based on the second edition of BS 15000. The third edition reflected the changes made to BS 15000 when it was fast-tracked to become the first edition of ISO/IEC 20000-1, the first International Standard on IT service management. This fourth edition is based on the second edition of ISO/IEC 20000-1.

This workbook is intended for use by service providers that wish to do one or more of the following.

− Assess how a service management system (SMS) compares to ISO/IEC 20000-1:2011.

− Assess the extent of best practice service management implementation.

− Identify those areas where best practice is least and most evident.

− Support internal or external reviews, internal audits, baselining or benchmarking.

− Identify the most effective process and service improvements.

− Identify the most effective use of consultancy to support additional improvements.

− Seek reassurance that the important aspects of service management have been addressed.

1.2 What is ISO/IEC 20000?

ISO/IEC 20000 is now a multi-part series. Other parts are planned.

Part 1 contains requirements for an SMS, shown by the use of 'shall', which indicates a 'must do'.

The use of 'may' indicates permission. In Part 1 'may' is rarely used and only when it helps to avoid a Part 1 requirement being ambiguous. Most uses of 'may' in ISO/IEC 20000 are in Part 2 onwards.

Use of 'can' indicates something is actually possible, but is not a preferred option or directly permitted by Part 1. As with 'may', 'can' is used in Part 1 to avoid misunderstanding of the requirements, by adding information. 'Can' is also primarily used in Part 2 onwards.

The recommendations in Part 2 onwards are optional approaches to achieving the requirements in Part 1, shown by the use of 'should'. Although optional, the recommendations are the preferred methods and are practical methods that are normally appropriate.

1.2.1 Part 1

The requirements in Part 1 are applicable to service providers of all sizes and types, regardless of whether the organization is public or private sector, internal or external.

Part 1 provides the basis for formal certification schemes and other audits or assessments. It is also the primary basis for this self-assessment workbook.

Part 1 is rarely used stand-alone. It can be likened to a recipe without instructions for how the ingredients are to be used. The rest of the 20000 series (and other best practice guidance such as ITIL ®1) provide the guidance on how to plan, design, implement and operate a service management system (SMS).

Neither the guidance in the 20000 series nor ITIL can change the Part 1 requirements. Conflict on the interpretation of requirements should be resolved by reference to Part 1.

1.2.2 Part 2

Part 2 explains each Part 1 requirement using practical examples and preferred options. It provides the explanation of what to do with the ingredients in the Part 1 recipe.

1 ITIL® is a Registered Trade Mark of the Cabinet Office.


2

1.2.3 Part 3

Part 3 provides guidance on the applicability of ISO/IEC 20000-1, how to define the scope of an SMS and the wording of scope statements for certificates awarded following a successful audit. It is also relevant to those designing a new or changed service that affects the scope of an established SMS.

1.2.4 Part 4

Part 4 is a process reference model. It has been developed to act as the basis of a process assessment model to be published as ISO/IEC TS 15504-8 (a Technical Specification).

1.2.5 Part 5

Part 5 is a general purpose plan for 'what to do first, what to do next and what to do last' when implementing Part 1. It includes guidance on topics such as developing a business case and effective policies.

1.3 Other guidance on ISO/IEC 20000

All current International Standards are framework independent. However, ISO/IEC 20000 is sometimes referred to as ‘the ITIL standard’.

The synergy between ISO/IEC 20000 and ITIL means that growth in the use of ITIL is mirrored by growth in the use of ISO/IEC 20000.

The 20000 series together with ITIL and other best practices provide consistent guidance on service management. This is shown in Figure 1.

Figure 1 – The integrated nature of best practice guidance

1.4 Other sources of information

The 20000 series and other related standards are listed in Annex A, Bibliography and other sources of information.

Additional guidance can also be obtained from the other publications in Annex A, e.g. the handbooks on service management and the use of a service management toolkit to speed up implementation or improvements to an SMS or service.

3

2 Using this workbook

2.1 Introduction

This workbook allows a service provider to assess their SMS by interviewing their personnel. When used by people who understand the processes being assessed and who are also objective in their judgments, this workbook enables a service provider to quickly identify their strengths and weaknesses, in comparison with best practices. This provides input to a plan for improving the service, and will ensure that resources are allocated for improvements to those areas that will deliver the most improvement in service quality.

Self-assessment enables and encourages a service provider’s commitment to continual improvement in service management processes and services. The assessment outputs should provide objective evidence for monitoring progress against the agreed service management objectives and the predicted improvements. The benefits from improvements will be visible and it should be easier to obtain funding for the next stage of improvements.

2.2 What is self-assessment?

The ‘self’ in self-assessment is used in the sense that the assessment is being managed by the organization that is being assessed and not by a third party audit company. The workbook is not designed for an individual to assess their own personal performance.

Effective use of the workbook requires the questions to be answered honestly, accurately and objectively. This is not always easy to do, especially by those who have helped to develop and sustain the processes being assessed. The results of the assessment will be more reliable if the people who do the assessment are independent of the day-to-day activities that are being assessed.

It can be better to use an assessor from a separate but related part of the organization or an external expert on service management. There is a risk that staff who do not understand service management or who are not familiar with the terms used will misinterpret the questions. This will skew the results of the assessments and opportunities for improvements could be missed.

An advantage of an independent internal team performing the assessment is that they know the service provider’s organization and understand the customer’s business. This helps them to focus on business priorities when identifying strengths, weaknesses and improvements.

Self-assessments promote buy-in to any resultant corrective actions and improvements as staff are much more aware of the gaps. This should help staff understand the areas that need most attention. Personnel who feel involved become more proactive in identifying improvements.

Internal assessments can be less expensive than external assessments, so can be conducted more frequently, often as mini-assessments, to track improvements (or the reverse) and to identify new improvements.

External assessments provide an objective external view that can 'unfreeze' the organization. Top management are often more willing to listen and to take the results seriously. As a result there will be strong sponsorship for the improvement plan.

External assessors can also have a broader base of experience and greater insight into opportunities that can be gained from improvements. With external interviewers it is easier for staff to believe that their input will be strictly confidential. Staff are therefore more likely to be more open about the real day-to-day operation. Staff can also learn a lot from external assessors. However, staff can resent the involvement of external assessors and resist the process or provide incorrect information when being interviewed.

So why not use both internal and external assessors? Many organizations do this successfully by planning the key areas for assessment and planning the time to do different types of assessment carefully. Some use hybrid teams of both internal and external assessors.


4

Key point: Self-assessment and certification audits

The approach and detail of an individual certification audit is based on the professional judgment of the audit company and of the individual auditors.

Although the topics covered during an ISO/IEC 20000 certification audit can be identical to those in a self-assessment, audit questions can be phrased differently. A certification audit will also seek various forms of audit evidence, as proof of any statements made during interviews.

Although ISO/IEC 20000 is about ‘doing not documenting’, a certification audit will also include a review of documents as part of the audit evidence. Documents represent the service provider’s intentions, e.g. a policy, process, plan, procedure or service level agreement (SLA), and records provide evidence of actual activities, e.g. a service report or a customer satisfaction survey.

Certification audits are also more reliable when they include observation of actual practices and comparison with documentation on intended practices or the views expressed in interviews, by the service provider’s personnel.

2.3 Preparing for self-assessment

The value obtained from use of this workbook will depend not only on how well the assessment is done, but also on the quality of preparation that is done before the assessment.

Preparation should include documented agreement on the terms of reference for the assessment, including:

a) The reason the assessment is being done, e.g.:

− input to planning for the implementation of new or changes service management processes;

− assessment of a ‘point of pain’ – e.g. a single process failing badly;

− input to risk assessment before a major change, such as the introduction of a new business critical

service or the start of a new outsourcing contract;

− preparation for outsourcing, change of supplier or insourcing;

− checks on the effectiveness of supply chain management;

− baselining or benchmarking of the service and/or processes;

b) what the assessment is expected to achieve, in terms of level of detail, format of the end result and improvements based on identified deficiencies;

c) the scope of the assessment, based on objective and repeatable parameters, e.g.:

− ‘all processes in the scope of ISO/IEC 20000-1’;

− ‘the processes used to deliver a particular (named) service’;

− ‘the processes used to deliver service to a particular customer’;

− ‘the processes that support a particular location’;

− ‘organizational / functional units’;

d) constraints, such as time or resource limits;

e) approaches for:

− the selection of assessors to ensure they understand the subject matter, are competent and are

able to make objective judgments;

− the selection of interviewees to ensure they are representative of all levels of seniority, types of

roles and areas of expertise such as the processes in the scope of the assessment and interfaces

between organizations;

− the basis for sampling, if e.g. there are many locations, services or customers in the scope of the

assessment;

f) agreement of a plan, with a level of detail appropriate to the purpose and scope of the assessment;


5

g) plans for the assessment, identifying:

− resources;

− facilities;

− costs;

− milestones;

− key deliverables;

h) a communications plan covering:

− why the assessment is to be done, which should be sent out in advance;

− the results of the assessment;

− actions resulting from the assessment results.

2.4 Organizations, groups and people in the 20000 series

When using the workbook it is useful to understand the organizations, groups and people referred to in the 20000 series and in this workbook, as an aid to understanding why some questions are included. The most significant are defined below.

2.4.1 Customer

The 'customer' may be part of the same organization as the 'service provider', or be an external and legally separate organization.

2.4.2 Customers (when acting as suppliers)

Customers are normally an organization or part of an organization that receives a service or services. However, in many supply chain arrangements the customers also contribute to the service, e.g. providing a specialist business support service. When this is the case the customers are also acting as suppliers. Their role must be formally documented and they and their contribution to the SMS and services are managed using the service level management process.

2.4.3 External organizations

This term is only used on Part 1, Clause 6.6 for organizations that need to access the service provider's information or services. Information security controls should be in place specifically to reduce the risks of an external organization having this access.

2.4.4 Interested parties

This is a very broadly based category, ranging from customers, the service provider's own managers or staff or even unions and bankers. Interested parties are any person or group with a specific interest in the service provider's performance or the success of their activities. Interested parties includes what was referred to as 'stakeholders' in the 2005 edition of Part 1.

2.4.5 Internal groups

This term is used for a group that is part of the same organization as the service provider, but not under the service provider's direct control. They may contribute to the design, transition, delivery and improvement of a service or services under the terms of a documented agreement between the service provider and each of the internal groups.

Internal groups are not part of the scope of the SMS, only what they contribute may be included. Internal groups and their contribution are managed using the service level management process.

2.4.6 Management representatives / responsible managers

Top management may delegate some activities and responsibilities. Typically this is to a direct report or a group of managers that together have responsibility for the operation of the SMS and delivery of services. This is acceptable as long as the delegation is clearly defined and there is no confusion about 'who does what'. The managers with delegated responsibilities represent the top management and keep the top management informed using reporting, contributing to service reviews and internal audits.


6

2.4.7 Other parties

The term ‘other parties’ is a collective term for three groups involved with the service provider in the delivery of services. These are suppliers, internal groups and customers (when acting as suppliers).

2.4.8 Service provider

In ISO/IEC 20000 the term ‘service provider’ describes the organization aiming to achieve the requirements in ISO/IEC 20000-1. In this workbook the term is used with the same meaning, and is therefore also the organization that is being assessed using this workbook.

2.4.9 Supplier (including lead supplier)

The term 'supplier' is used for organizations external to the service provider that contribute to the service delivered by the service provider. Suppliers are organizations that are legally separate from the service provider, regardless of how closely they work together with the service provider. The terms 'lead supplier' and 'sub-contracted suppliers' are also used for suppliers with special roles in management and delivery of services. Lead suppliers have a direct relationship with the service provider and are responsible for management of the sub-contracted suppliers.

2.4.10 Top management

This term is used instead of senior or executive management. Top management are the highest level of the service provider's management and are that group of managers with the ultimate accountability and responsibility for the SMS and services. If the service provider's organization is only part of a much larger organization, the top management will usually be subordinate to the management that are responsible for the whole organization.

2.5 Integrated processes and supply chains

No service management process is self-contained; each has at least one interface to another process. No process will function indefinitely at optimum effectiveness; changes to one process often have a knock-on effect on other processes. There can also be a change to the services or a customer’s business needs. There can be major changes to the service, workloads or the supply chain of:

other parties ─►service provider ─►customer(s)

Supply chains can be complex and there may be many different customers reliant on the services. Other parties may contribute to the service. They include internal groups and customers acting as suppliers, as well as suppliers (including lead suppliers). This is shown in Figure 2.

Figure 2 – Supply chain involving other parties

A complex supply chain can affect the self-assessment using this workbook, e.g. the same assessment could be needed for several different organizations, groups and people contributing to the service. This includes the requirements of Part 1, Clause 4.2 (workbook, Section 4.2) on the governance of processes operated by other parties.


7

Key point: Which questions apply?

The workbook can be used to examine all aspects of an SMS, including service management processes, in which case all questions should be included.

The questions in Section 4 should always be completed, even when a survey is concentrating on a single process. This is important because continuing management commitment and the benefits of a continual programme of service and process improvements are required for each process.

If the questions in Section 4 are omitted any process will be assessed as if it is operated in a silo. This is one of the most common causes of bad practice service management. The needs and benefits of process integration are fundamental to effective service management and remain one of the drivers behind the 20000 series.

2.6 The workbook structure

Where possible the structure of the workbook has been aligned to the structure of Part 1. Section numbers map onto clause numbers in Part 1 for Section/Clauses 4 to 9.

Each section varies in size, reflecting the diversity of the processes and the detail of the requirements in Part 1.

Workbook section

Primary contents

4.1

The workbook begins with a series of questions that relate to overall management responsibilities, mapping to Part 1, Clause 4.1. These affect all processes in Part 1, including the service management processes.

This section also contains a subsection of questions that apply to every service management process. These have been grouped with the questions relating to management responsibilities to avoid repetition of identical sets of questions for each service management process.

4.2 Workbook Section 4.2 covers the questions that relate to Part 1, Clause 4.2, Governance of processes operated by other parties. These are new requirements in the second edition of Part 1 and should be given attention early in the assessment process.

4.3

This covers the questions that relate to Part 1, Clause 4.3, Documentation management. The requirements in Part 1, Clause 4.3 are significant as they define evidence required for an assessment of all other processes. Where it is more convenient to do so the workbook includes this in the relevant section, not Section 4.3.

4.4 This covers Part 1, Clause 4.4, Resource management.

4.5

This covers the establishment of an SMS, its operation and continual improvement. The cycle of continual improvements is referred to as the Plan-Do-Check-Act (PDCA) methodology in Part 1, Clause 4.5. The quality of every process in ISO/IEC 20000 is ultimately controlled by the PDCA cycle, so these questions also apply even if only a single service management process is being assessed.

5

Workbook Section 5 covers the design and transition of new or changed services, in Part 1, Clause 5. This section is relevant to all new services and changes to services with the potential to have a major impact on services or the customer. The 20000 series includes Clause 5 as part of the service management processes. Clause 5 is also strongly linked to the three control processes, in Part 1 Clause 9.

6–9 The core of this workbook is made up of the other service management processes in Part 1, Clauses 6–9. The workbook sections are each numbered as for Part 1.


8

Addressing the questions on the general requirements for an SMS in Part 1, Clause 4 / Workbook, Section 4 can often clarify why an individual service management process is defective or even missing. It should also be noted that when using the results as input to a plan for service improvements, an improvement initiative is likely to have impact and beneficial effects on more than one of the service management processes.

2.7 Implementation of processes

Each service provider may adapt and adopt best practice advice and have different interfaces between processes. While recognizing the importance of interfaces being understood and processes being integrated, Part 1 leaves the relationships between processes to the judgment of the service provider and includes very few requirements to specific interfaces. However, process groupings and interfaces that are relatively common to many service providers are shown in Figure 3.

Figure 3 – Common groupings of processes, based on Part 1

9

3 The practical details

3.1 Printing and copyright

The most effective way to use this workbook is to print and use the pages relating to a single process or group of processes being examined. Details of copyright conditions pertaining to the printing of this document are given on the copyright page at the beginning of this workbook.

Key point: Information sources

It is recommended that each assessment identifies who was interviewed and why they were interviewed to put their answers into context. For example, a team leader on the service desk or a document librarian. It is also useful to know how long that individual has been in their role and possibly what they did previously. Understanding who said what will help to understand the reasons for the differences, e.g. according to organizational grouping or seniority.

Space has been provided at the head of each section for who did the interview and / or a reference for the interview for use during subsequent analysis of the interview results etc.

Documents and records included in the assessment should be identified by name, version, date of issue and source. The source is particularly important when document management is poor.

If observation of actual practice is used to support the assessment, details should be provided on who was observed and the circumstances of the observation (e.g. normal service, busy period).

3.2 ISO/IEC 20000-1 clauses

When using the tables in this workbook, the first column contains questions relevant to individual requirements in Part 1. Some questions are included to help avoid ambiguity with what is intended by a question based on Part 1. These questions are shown by ‘ADV’ in column 2.

For most questions, their order in the workbook is the same as the order in the equivalent clause in Part 1. Any re-sequencing done to simplify the assessment sequence is shown by 'M', for 'moved'.

The second column heading indicates the Part 1 clause number that the workbook section relates to. The second column holds additional cross-references to other closely related clauses in Part 1. Only those that are most important are included, due to space limitations and to avoid the assessment becoming overly complex.

Compliance with questions in the workbook does not mean there is complete compliance with the matching requirement in Part 1. The auditor could have more exacting views on what is acceptable than those doing the self-assessment. The final decision on the acceptability of the processes during a certification audit lies with the professional judgment of the auditors. For example, their view of what constitutes a minor and major nonconformity.

For a certification audit all processes and all requirements must be in the scope and none may be defined as ‘Not applicable’, whereas the workbook does allow partial assessments, e.g. to monitor improvements in a single process.

3.3 The answers

All the questions permit one of four answers:

− YES;

− NO;

− In progress (IN PROG.);

− Not applicable (N/A).

‘Yes’ is when the requirement is completely fulfilled.

‘No’ is when there is no progress towards fulfilling the requirement.


10

‘In progress’ is when the service provider is aware of shortcomings and that improvement work has been started. This can be useful for indicating where improvements in performance are to be expected. ‘In progress’ should not be used for an omission that is understood but where no action has been taken. In these circumstances the response should be ‘No’.

‘Not applicable’ should be used with caution as it is rarely appropriate. The assessor should check that the topic is genuinely out of the scope of the self-assessment. For example, if there is no service management plan ‘Not applicable’ can be appropriate to questions about the contents of a service management plan, but ‘No’ is normally a more realistic assessment.

Particular care is usually required when a service provider is reliant on several suppliers, internal groups or customers (when acting as suppliers). It should be clear what each party contributes. Control of the other parties should also be examined carefully. The same questions will need to be asked of several different groups or people.

3.4 References / comments

The ‘References / comments’ space can be used in any way that is helpful. The space could be used to include the job title of the person responsible for the topics being assessed, if they are not the interviewee. However, it is recommended that the space is also used for references to documents checked or other information that will allow the question to be repeated or the answer to be checked. It can also be used as starting point for any follow-up on topics that merit closer investigation.

To support the answer 'Yes', the space can be used for the details / references to documents and / or records that support the use of 'Yes'. This could be as simple as the section number in a quality manual or procedure. If document control and references are known to be badly done more details of the documents are advisable.

If the answer is ‘No’ the reference / comments can be used to record proposed improvements.

To support the answer 'In progress' it can be useful to record deficiencies or different practices. The space can be used to record the clarification, constraint or explanation of deficiencies or where more details can be found. Documents referenced can be attached to the completed worksheets as an annex. It can be useful to record the project, team or individual working on improvements.

When ‘Not applicable’ is used a brief explanation of why it is not applicable should be included.

If space is too limited to contain all the information that is useful, a reference to another document holding supporting details will be appropriate.

3.5 Planning improvements

Determining which improvements offer the best return requires objective knowledge of the service provider’s organization and the customer’s business priorities and needs. Differences arise from many causes. These include attitudes, business imperatives and changes currently planned or in progress.

Integration of processes is important because there is synergy between processes when data flows between them. There is limited benefit from being 90 per cent compliant in one process, while only 20 per cent compliant in another process.

Steps that might follow an assessment include:

− workshop(s) to discuss or brainstorm improvements to the process;

− use of external consultants to help formulate action plans and improvement programmes;

− analysis of related areas.

Repeating the assessment after three, six or twelve months, or after changes have been implemented, should provide a valid demonstration of improvement. This can become a regular baselining or benchmarking exercise.

11

4 Service management system general requirements

4.1 Management responsibility

Management involvement, commitment and responsibility are all important to the establishment and operation of an SMS. It is also important that this continues and is not just present in the early days of the SMS being established.

The focus of Clause 4.1 / Section 4.1 is on this necessary commitment, in particular the role of 'top management', described in Section 2.4.10 of this workbook. This is shown by the high proportion of questions in this section that refer to the activities of 'top management'.

These questions are grouped together partly because they are relevant to the whole SMS, including the individual service management processes in Part 1, Clauses 5–9 / Workbook, Sections 5–9.

Interviewee name:

Role: Time in role:

Date: Purpose of interview:

Assessor /ref.:

'M' indicates the entry is not in the same order as in Part 1. 'ADV' is advice not a requirement.

Management responsibility 4.1

YE

S

NO

IN P

RO

G.

N/A

Reference / comments

4.1.1 Management commitment

Is there evidence of top management being committed to the SMS and services being:

1. planned?

2. documented? 4.3

3. established?

4. implemented?

5. operated?

6. monitored?

7. reviewed?

8. maintained?

9. improved?

Were top management involved in:

1. documenting and establishing the scope of the SMS?

4.3

2. communicating the scope of the SMS?

3. documenting and establishing the service management policy?

4.3

4. communicating the service management policy?

5. documenting and establishing the service management objectives?

4.3

6. communicating the service management objectives?


12


YE

S

NO

IN P

RO

G.

N/A


7. creating and documenting the service management plan?

4.3

8. implementation of the service management plan?

Did top management ensure that when the SMS was established the following resources were provided:

1. human?

2. financial?

3. technical?

Are top management still involved in the SMS and services:

1. keeping the scope of the SMS current and appropriate?

2. communicating any changes to the scope of the SMS?

3. revising or confirming the service management policy?

4. communicating changes to the service management policy?

5. revising or confirming the service management objectives?

6. communicating any revisions to the service management objectives?

7. maintenance of the service management plan?

8. revisions to the service management plan?

9. implementation of changes to the service management plan?

Does the service management plan ensure:

1. adherence to the service management policy?

2. achievement of the service management objectives?

3. fulfilment of the service requirements?

Does a management group (e.g. a forum) of management and stakeholders give visible support to top management direction?

ADV


13


YE

S

NO

IN P

RO

G.

N/A


Are the following understood by the service provider's personnel:

1. service management policy?

2. service management objectives?

3. service requirements?

Do top management continue to communicate the importance of fulfilling:


2. statutory requirements?

3. regulatory requirements?

4. contractual obligations?

Are the following understood by the service provider's personnel:

ADV






Do top management continue to ensure sufficient resources are provided after changes to the SMS and services:

1. human?

2. financial?

3. technical?

Are the policies in the SMS supported by documented processes?

ADV

Are all processes present in the SMS? ADV

Are the processes in the SMS supported by documented procedures?

ADV

Do top management conduct reviews at planned intervals?

4.5.4.3

Do top management ensure risks to the services are assessed?

4.5.4

Do top management ensure the risk assessment leads to risk being managed?

4.5.4


14


YE

S

NO

IN P

RO

G.

N/A


4.1.2 Service management policy

Do top management ensure that the service management policy:

1. is appropriate for the service provider's purposes?

2. includes a commitment to fulfilment of service requirements?

3. includes a commitment to continually improve the SMS and services effectiveness?

4. provides a framework for establishing service management objectives?

5. provides a framework for reviewing service management objectives?

6. is communicated by the service provider's personnel?

7. is understood by the service provider's personnel?

8. is reviewed for suitability?

Do top management ensure a policy on continual improvement is followed?

M & 4.5.5.1

Do the policies, objectives and plans reflect the customer's business needs?

ADV

4.1.3 Authority, responsibility and communication

Do top management ensure service management:

1. authority levels are defined?

2. authority levels are suitable for the person allocated authority to function effectively?

ADV

3. authority levels are maintained?

4. responsibilities are defined?

5. responsibilities are suitable for the person to function effectively?

ADV

6. responsibilities are maintained?

Do top management ensure that procedures for communication are:

1. documented?

2. established?

3. implemented?

4. followed?


15


YE

S

NO

IN P

RO

G.

N/A


4.1.4 Management representative

Has top management appointed a management representative?

Does the management representative have the authority and responsibility to ensure service requirements are:

1. identified?

2. documented?

3. fulfilled?

Does the management representative have the authority and responsibility to ensure that service management processes are:

1. designed?

2. implemented?

3. improved?

4. in accordance with the service management policy?

5. in accordance with the service management objectives?

Does the management representative ensure that each service management process is integrated into the SMS?

Does the management representative ensure that assets, including licences, used to deliver the services are managed according to:




Does the management representative report to top management on the SMS and services:

1. performance?

2. opportunities for improvement?


16


17

4.2 Governance of processes operated by other parties

An important clause in the 2011 edition of Part 1 covers the requirements for control of the activities of other parties that contribute to the service by operating processes or parts of processes in the scope of Part 1 (see Figure 4). This clause reflects service supply chains being the result of several different organizations and groups, each making a contribution to the service delivered to the service provider's customers.

Figure 4 – Illustration of the groups to be considered for scope definition

The requirements in Part 1, Clause 6.6 include information security controls for all external groups. External groups are not explicitly referred to in Part 1, Clause 4.2, although they can have an impact on the service and therefore on the acceptable scope of the SMS. For example, if the requirements of Clause 6.6 are not met for an external group that also operates parts of the processes in the SMS, their contribution cannot be included.

ISO/IEC 20000-3 provides guidance on scope definition and applicability of Part 1. This also includes explanation the governance of processes operated by other parties.

Interviewee name:

Role:

Time in role:


Assessor /ref.:


Governance of processes operated by other parties

4.2

YE

S

NO

IN P

RO

G.

N/A


Has the service provider identified all processes / parts of processes operated by:

1. internal groups?

2. customers, when acting as suppliers?

3. suppliers?


18

Governance of processes operated by other parties

4.2

YE

S

NO

IN P

RO

G.

N/A


Does the service provider demonstrate governance of processes operated by other parties by having evidence of:

1. accountability for the process?

2. authority to require a process is followed?

3. control of the process definition?

4. control of the process interfaces?

5. control of how process performance is determined?

6. control of how process compliance is determined?

7. control of process improvement planning?

8. control of priorities for improvements?

Does the service provider also manage suppliers using the supplier management process?

Does the service provider also manage internal groups using the service level management process?

Does the service provider also manage customers (when acting as suppliers) using the service level management process?


19

4.3 Documentation management

For documents and records required by Part 1, Clause 4.3 see the separate clauses / sections where each document and record is used, e.g. policies and processes.

Records are a special type of document and are controlled under the requirements given in Clause 4.3.3.

When using this section of questions to assess a single process, substitute the name of that process for SMS or SMS and services.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Document management 4.3

YE

S

NO

IN P

RO

G.

N/A


4.3.1 Establish and maintain documents

The requirements are…. Has the service provider established documents, including records, to ensure the SMS is effectively planned, operated and controlled? Are the following documents available: a) service management policy and objectives; b) service management plan; c) policies and plans for specific processes; d) catalogue of services; e) SLAs; f) service management processes; g) procedures.

various n/a n/a n/a n/a

The requirements in the left-hand column of this row are from Clause 4.3.1. They are listed in other sections in this workbook and do not form part of this section, to reduce duplication of evidence collection.

4.3.2 Control of documents

Is there a documented procedure for SMS document control?

Does the control of documents for the SMS cover the 'how, when and who' of the following:

1. creation?

2. approval ?

3. identification of changes?

4. identification of status?

5. ensuring availability when required?

6. ensuring documents are identifiable?

7. ensuring documents are legible?

8. ensuring obsolete documents are not accidentally used if retained?

9. communication of new documents (to interested parties)?

M


20


YE

S

NO

IN P

RO

G.

N/A


10. communication of changed documents (to interested parties)?

M

11. documents of external origin are identified?

M

12. distribution of documents of external origin is controlled?

M & 4.3.1

Are SMS documents actually controlled?

Are there clear rules for progress of a document from Stages 1 to 12 (above)?

ADV

Is the progress from one stage to the next subject to an approval process?

ADV

Is there a date by when the purpose and usefulness of any document will be reviewed?

ADV

Is there a date by when any document will be archived?

ADV

Do document management processes and documented procedures ensure that SMS documents are:

1. readily identifiable? ADV

2. legible? ADV

3. reliable? ADV

4. easy accessible during normal service

ADV

5. easily accessible after a major loss of service?

ADV & 6.3

6. brought to the attention of all parties who could usefully refer to them?

ADV

Is the documentation based on a logical structure so that there are no gaps, overlaps or ambiguity on what is held where?

4.1

Are documents available that describe how the SMS should be operated, e.g. is there an SMS process map and does the process map support the relevant policy?

ADV


21


YE

S

NO

IN P

RO

G.

N/A


4.3.3 Control of records

Is there a documented procedure for record control?

Does the procedure cover the 'how, when and who' of the following aspects of SMS record control:

1. easy identification?

2. storage?

3. protection (against damage or loss)?

4. easy retrieval when required?

5. retention of documents?

6. disposed of when not required?

7. ensuring legibility?

Are there clear rules for how each of the seven aspects of record control listed above is to be achieved for the SMS?

ADV

Is there a date by when the purpose and usefulness of any record will be reviewed?

ADV

Is there a date by when any record will be archived?

ADV

Are records available that show how the SMS was actually operated, e.g. minutes of service review meetings?

ADV

Is the procedure effective for records used or produced by the SMS?

ADV

Are SMS records actually controlled according to the procedure?


22


23

4.4 Resource management

Most resource management requirements are grouped in Part 1, Clause 4.4. Also, see Clauses 4.1 for management responsibilities for resourcing and Clause 4.5 for use of resources.

When using this section of questions to assess a single process, substitute the name of that process for the reference to the SMS or SMS and services.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Resource management 4.4 Y

ES

NO

IN P

RO

G.

N/A


4.4.1 Provision of resources

Are the following resource requirements known for the SMS:

1. human?

2. technical?

3. information?

4. financial?

Are the following resource requirements known for the services:

ADV

1. human?

2. technical?

3. information?

4. financial?

4.4.2 Human resources

Are the human resources for the SMS and services to be:

1. understood?

2. established and implemented?

3. maintained?

4. improved?

Are the technical resources suitable for the SMS and services to be:


2. maintained?

3. changed? ADV

4. improved?

Self-Assessment Workbook

24

Resource management 4.4

YE

S

NO

IN P

RO

G.

N/A


Are the information resources suitable for the SMS and services overall to be:


2. maintained?

3. changed? ADV

4. improved?

Are the financial resources suitable for the SMS and services overall to be:


2. maintained?

3. changed? ADV

4. improved?

Do the resources fulfil service requirements?

Do the resources enhance customer satisfaction?

7.1

4.4.3 Human resources

Is the necessary competence for the SMS based on:

1. education?

2. training?

3. skills?

4. experience?

Are there records of actual competence in terms of:

M & 4.3

1. education?

2. training?

3. skills?

4. experience?

Do personnel have the necessary competence for the SMS in terms of:

1. education?

2. training?

3. skills?

4. experience?


25

Resource management 4.4

YE

S

NO

IN P

RO

G.

N/A


Is training provided to fill a shortfall in competence?

If training is not appropriate or possible, are personnel recruited with the required competence?

ADV

Are any other suitable actions taken to fill the shortfall in competence (e.g. mentoring)?

ADV

Is training evaluated for effectiveness? ADV & 4.1

Are other actions evaluated for effectiveness?

Are personnel managed effectively? ADV & 4.1

Is succession planning and staff turnover managed?

ADV & 4.1

Do personnel understand how they contribute to the achievement of service management objectives?

Do personnel understand how they contribute to the fulfilment of service requirements?

Is information on actual and required competence and training needs used when planning services or SMS improvements?

ADV, 4.5 & 6


26


27

4.5 Establish [and improve] the SMS

This section covers the planning, implementation and operation of the SMS. It includes the Plan-Do-Check-Act cycle for process and service improvements. The PDCA cycle should be applied to all processes. For this reason the questions relevant to Part 1, Clause 4.5 / Workbook, Section 4.5 should be answered for each process within the scope of the assessment, in conjunction with the process specific questions contained within the other sections in this workbook. The cycle is shown in Figure 5.

A very early step in the planning is to define the scope of the SMS. Part 1, Clause 4.5.1 mapped to Section 4.5.1 below covers this scope definition.

The scope is affected by the contribution of other parties. The contribution they make may be included as part of the SMS if the requirements of Part 1, Clause 4.2 are fulfilled, as was included in 4.2 and in Figure 4.

ISO/IEC 20000-3 provides guidance on scope definition and applicability of this part of ISO/IEC 20000.

Figure 5 – PDCA

Interviewee name:

Role: Time in role:


Assessor /ref.:


Define the scope 4..5.1

YE

S

NO

IN P

RO

G.

N/A


4.5.1 Define scope

Is the scope of the SMS defined?

Is the scope of the SMS documented? 4.3

Does the definition of scope include:

1. the organizational unit providing the services?

2. the services to be delivered?

Is there evidence that the service provider considered use of other parameters:

1. the service provider's locations used for delivering services in scope?

2. the customer?

3. the customer's location(s)?

4. the technology used?

Is the scope of the SMS in the plan? 4.3

Is the scope of the SMS used for planning?


28


29

4.5.2 Plan the SMS (Plan)

It only becomes possible to plan reliably if there is a clear understanding of the scope of the SMS – based on parameters such as the names of services, as in Section 4.5.1.

The initial planning activity and the actual plan are for the whole of the SMS. Subsequent PDCA cycles repeat the planning stage. In the second and later PDCA cycles the planning and the plan are focused on changing the SMS that was established by the previous SMS plan stage.

Changes to the SMS may be for a variety of reasons. These include new or changed services that require a change to the SMS, and improvements to processes and services. Other changes to the SMS may be increases in the scope of the SMS as the best practices are extended to cover more services.

When using this section of questions to assess a single process, substitute the name of that process for the reference to the SMS or SMS and services.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Plan the SMS (Plan) 4..5.2

YE

S

NO

IN P

RO

G.

N/A


Is there a documented service management plan?

4.3

Does the plan include or refer out to:



3. limitations that could impact the SMS?

4. service management policies?

5. other policies that could impact the SMS?

6. other standards in use?




10. authorities/authority levels?

11. responsibilities?

12. process roles?

13. services?

14. human resources?

15. technical resources?

16. information resources?

17. financial resources?


30

Plan the SMS (Plan) 4..5.2

YE

S

NO

IN P

RO

G.

N/A


18. working with other parties on new or changed services (Clause 5)?

19. the management of interfaces between service management processes?

20. the integration of service management processes and other SMS components?

21. risk acceptance criteria?

22. risk management?

23. technology used to support the SMS?

24. measures and measurement of the effectiveness of the SMS and services?

25. auditing of the SMS and services?

26. reporting on the effectiveness of the SMS and services?

27. how the effectiveness of the SMS and services will be improved?

Does the plan take into consideration the:

1. service management policy?


3. the Part 1 requirements?

Does the service management plan include review of the plan?

4.5.4

Has the plan been implemented? 4.5.3

Are the reviews of the plan at suitable planned intervals?

4.5.4

Does the review of the plan result in changes to the plan, if required?

4.5.4

Are locally developed plans for processes aligned with the centrally controlled service management plan?

4.3


31

4.5.3 Implement and operate the SMS (Do) The second stage of the PDCA cycle is to implement the planned SMS and to operate it, in order to

deliver the service. After the SMS has been implemented, the repeating PDCA cycle implements

changes to the SMS, including improvements, changes to SMS scope, new or changed services

managed under Part 1, Clause 5 / Workbook Section 5.

When using this section of questions to assess a single process, substitute the name of that process

for the reference to the SMS or SMS and services.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Implement and operate the SMS (Do) 4..5.3

YE

S

NO

IN P

RO

G.

N/A


Does the SMS cover the following for services

1. design? 4.5.2 & 5.1

2. transition? 4.5.2 & 5.1

3. delivery? 4.5.2 & 5.1

4. improvement? 4.5.5

Do these stages (above) follow the service management plan?

4.5.1

For implementation of the plan are the following included as activities:

1. allocation of funds as budgeted? 6.4

2. management of funds and budgets (financial resources)?

6.4

3. assignment of authorities? 4.1

4. assignment of responsibilities? 4.1

5. assignment of process roles? 4.1

6. management of human resources? 4.4

7. management of technical resources? 4.4

8. management of information resources? 4.4

9. risk identification – initial and ongoing? 6.6

10. assessment of risks – initial and ongoing? 6.6

11. management of risks – initial and ongoing?

4.5.4 & 6.6

12. management of all processes? 4.1

13. service management performance monitoring?

4.5.4 & 6.2

14. service management performance reporting?

6.2


32


33

4.5.4 Monitor and review the SMS (Check)

The scope of this stage is to monitor and measure processes and services against policies, objectives and requirements and report the results. It is also to take actions to continually improve process performance.

This section includes references to internal audit practices. Those unfamiliar with internal audits will find it useful to read ISO/IEC 17021 and ISO 19011. They provide guidance on management systems auditing. When using this section of questions to assess a single process, substitute the name of that process for the SMS or the SMS and services.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Monitor and review the SMS (Check) 4.5.4

YE

S

NO

IN P

RO

G.

N/A


4.5.4.1 General (see 4.5.4.2/3)

Are suitable methods used for monitoring the SMS and services?

4.5.4.2/3

Are suitable methods used for measuring the SMS and services?

4.5.4.2/3

4.5.4.2 Internal audit

Are internal audits done? M&4.5.4.1

Are internal audits done against documented objectives?

Is the internal audit programme planned?

M&4.5.4.1

Are internal audits done at planned intervals?

M&4.5.4.1

Are the planned intervals suitable? M&4.5.4.1

Does the internal audit follow a documented procedure?

M&4.5.4.1

Does the procedure include: M&4.5.4.1

1. importance of processes and areas to be audited?

2. results of previous audits?

3. audit criteria?

4. audit scope?

5. audit frequency?

6. audit methods?

7. authorities for audit planning and conduct?

8. responsibilities for audit planning and conduct?

9. reporting audit results?

10. maintaining audit records?


34


YE

S

NO

IN P

RO

G.

N/A


Is the internal audit procedure objective and impartial?

M&4.5.4.1

Are internal auditors prevented from auditing their own work?

M&4.5.4.1

Are auditors objective and impartial in practice?

M&4.5.4.1

Do the internal audits demonstrate the ability of the SMS and services to achieve service management objectives?

M&4.5.4.1

Do the internal audits demonstrate the ability of the SMS and services to fulfil service requirements?

M&4.5.4.1

Do the internal audits investigate nonconformities against Part 1?

M&4.5.4.1

Do the internal audits investigate nonconformities against the SMS requirements (as planned)?

M&4.5.4.1

Do the internal audits determine whether the SMS and services fulfil Part 1 requirements?

M&4.5.4.1

Do the internal audits investigate nonconformities against the service requirements?

M&4.5.4.1

Do the internal audits check whether the SMS and services are maintained effectively?

M&4.5.4.1

Are the results of the internal audits recorded, including:

M&4.5.4.1

1. nonconformities?

2. concerns?

3. actions identified?

4. communicated to interested parties?

Are actions against nonconformities communicated?

M&4.5.4.1

Are actions against nonconformities: M&4.5.4.1

1. prioritized?

2. allocated? .

Do managers of the area audited ensure corrections and corrective actions are taken according to the priority allocated?

M&4.5.4.1

Do managers ensure corrections (fixing a defect) and corrective actions (preventing a defect) are effective in eliminating nonconformities and their causes?

M&4.5.4.1

Is a report produced on the actions taken?

M&4.5.4.1


35


YE

S

NO

IN P

RO

G.

N/A


4.5.4.3 Management review

Are management reviews of the SMS and services done?

Are management reviews done against documented objectives?

M&4.5.4.1

Do the management reviews demonstrate the ability of the SMS and services to achieve service management objectives?

M&4.5.4.1

Do the management reviews demonstrate the ability of the SMS and services to fulfil service requirements?

M&4.5.4.1

Do the management reviews investigate nonconformities against Part 1?

M&4.5.4.1

Do the management reviews investigate nonconformities against the SMS requirements (as planned)?

M&4.5.4.1

Do the management reviews investigate nonconformities against the service requirements?

M&4.5.4.1

Are the results of the management reviews recorded, including:

M&4.5.4.1

1. nonconformities?

2. concerns?

3. actions identified?

4. communicated to interested parties?

Does the input to management reviews include:

M&4.5.4.1

1. customer feedback?

2. service performance and conformity?

3. process performance and conformity?

4. current and forecast human resources?

5. current and forecast technical resources?

6. current and forecast information resources?

7. current and forecast financial resources?

8. current and forecast human capabilities?

9. current and forecast technical capabilities?

10. risks?

11. status of preventive actions?

12. status of corrective actions?


36


YE

S

NO

IN P

RO

G.

N/A


13. results from audits?

14. details of actions arising from audits?

15. results from management reviews?

16. actions arising from management reviews?

17. changes that could affect the SMS and services?


Are there records of management reviews?

M&4.5.4.1

Do the records from management reviews include decisions and actions relating to:

M&4.5.4.1

1. resources?

2. Improvements of the SMS?

3. Improvements of the services?


37

4.5.5 Maintain and improve the SMS (Act)

The scope of this stage is to take actions to continually improve process performance. This is the final stage in the first cycle of PDCA. Like the other stages it is then repeated as the SMS changes, the service changes or improvements are made.

Those with an interest in corrective and preventive action will find it useful to see ISO 9001:2008, Clause 8.5.

When using this section of questions to assess a single process, substitute the name of that process for the SMS or the SMS and service.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Maintain and improve the SMS 4..5.5

YE

S

NO

IN P

RO

G.

N/A


4.5.5.1 General

Is there a policy on continual improvement of the SMS and services?

4.3 .

Is the policy used as management direction on the SMS and services?

Does the policy include evaluation criteria for opportunities for improvement?

Is there a documented procedure for improving the SMS and services?

4.3

Does the documented procedure cover improvement:

4.3

1. identification?

2. documenting?

3. evaluation?

4. approval?

5. prioritizing?

6. management?

7. measurement?

8. reporting?


38

Maintain and improve the SMS 4..5.5

YE

S

NO

IN P

RO

G.

N/A


Does the documented procedure include authorities / authority levels and responsibilities for all stages of improvements?

4.1

Are opportunities for improvement identified?

Are opportunities for improvement actually documented?

Are nonconformities corrected?

Do corrective actions prevent recurrence of nonconformities?

Are preventive actions taken to eliminate the cause of potential nonconformities?

4.5.5.2 Management of improvements

Are the evaluation criteria in the continual improvement policy used for decision making on improvements?

M

Are opportunities for improvement prioritized?

M

Are improvements subject to approval?

Are approved improvements planned?

Are approved improvements managed?

Are targets set for improvements in at least one of:

1. quality?

2. value?

3. capability?

4. cost?

5. productivity?

6. resource utilization?

7. risk reduction?

Are approved improvements actually implemented?

Are any necessary revisions to the following made:

1. service management policies?

2. service management plans?

3. processes?

4. procedures?

Are implemented improvements measured against the targets set?

If targets are not met, is remedial action taken?

Are reports produced describing improvements and their effectiveness?

39

5 Design and transition of new or changed services

The need for a new service or a change to a service can originate from many different groups: customer, service provider, an internal group or a supplier. The reasons can vary widely, e.g. in order to satisfy business needs or to improve the effectiveness of the services.

The requirements in Part 1, Clause 5 provide additional protection for higher risk changes to the service. This includes the introduction of a new service or withdrawal or transfer of an established operational service. The protection is in addition to that provided by other service management processes, in particular the control processes. The close working relationship between Clauses 5 and 9 should be taken into account when using Sections 5 and 9 of this workbook.

If a service provider opts to increase the scope of the SMS by adding new services, as part of an incremental implementation of an SMS to cover all aspects of service delivery, Clause 5 can provide useful support for Clause 4.5, including the revision of the scope, changes to the plan and the operation of the other stages in the PDCA cycle.

For further information about design, see the design and development process in ISO 9001:2008, Clause 7.3 or the architectural design process in ISO/IEC 15288:2008, Clause 6.4.3.

When using this section of questions to assess a single process, substitute the name of that process for the SMS or the SMS and service.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Design and transition of new and changed services

5

YE

S

NO

IN P

RO

G.

N/A


5.1 General

Is the Clause 5 process documented? 4.3

Does the change management policy include the definition of:

9.2

1. removal of services?

2. transfers of service to customer or different party?

3. other high risk changes that need the additional protection of Clause 5 (potential to have a major impact on services or customers)?

Are the following stages in Clause 5 also under the control of change management:

9.2

1. assessment?

2. approval?

3. scheduling?

4. reviewing?


40


5

YE

S

NO

IN P

RO

G.

N/A


Are the configuration items (CIs) affected by Clause 5 activities controlled by the configuration management process for the following stages:

9

1. assessment?

2. approval?

3. scheduling?

4. reviewing?

Does the service provider review the outputs from the planning and design activities in Clause 5 against:

4.5 & 9

1. agreed service requirements?

2. Clauses 5.2 requirements? 5.2

3. Clauses 5.3 requirements? 5.3

Is the review output used as the basis of acceptance or rejection decisions?

Does the service provider ensure that accepted outputs are suitable for the transition to be performed effectively?

5.2 Plan new or changed services

Does the service provider identify the service requirements for Clause 5?

4.5 & 9

Does planning ensure the service requirements are fulfilled?

4.5 & 9

Are plans agreed with the customer? 4.5 & 9

Are plans agreed with other interested parties?

4.5 & 9

Does the planning and service design take into consideration the potential impact of the new or changed services on the existing services?

4.5 & 9

Does the planning and service design take into consideration the potential impact of the new or changed services on the SMS?

Does the plan take into consideration: 4.5 & 9

1. authorities / authority levels for design?

2. responsibilities for design?

3. authorities / authority levels for development?

4. responsibilities for development?

5. authorities / authority levels for transition?

6. responsibilities for transition?


41


5

YE

S

NO

IN P

RO

G.

N/A


7. activities to be performed by the service provider…?

8. …including those across the interface to other parties?

9. activities by suppliers (if involved)?

10. activities by internal groups (if involved)?

11. activities by customers acting as suppliers (if involved)?

Does the plan include: 4.5 & 9

1. preparing communications for interested parties?

2. identifying communications actually provided to interested parties?

3. identified human resources?

4. identified technical resources?

5. identified information resources?

6. identified financial resources (budgets and funds)?

7. timescales for activities?

8. identified risks?

9. risks assessment?

10. management of risks?

11. dependencies on other services?

12. testing required?

13. how testing will keep risk of failure to acceptable levels?

14. agreed criteria for acceptance of the service?

15. measurable / quantified outcomes?

Does the plan include services to be removed, when applicable?

4.5 & 9

Does planning for removal include dates for:

4.5 & 9

1. removal?

2. archiving?

3. disposal or transfer of data?

4. disposal or transfer of documentation?

5. disposal or transfer of service components?


42


5

YE

S

NO

IN P

RO

G.

N/A


Are the identified service components comprehensive?

4.5 & 9

Do the service components include infrastructure?

4.5 & 9

Do the service components include licences?

4.5 & 9

Are other contributing parties identified: 4.2 & 4.5

1. suppliers?

2. internal groups?

3. customers (when acting as suppliers)?

Is there a record of the service provider's assessment of ability to contribute to the service by:

4.2 & 4.5

1. suppliers?

2. internal groups?

3. customers (when acting as suppliers)?

Are any shortfalls resolved for contributions by:

4.2 & 4.5

1. suppliers?

2. internal groups?

3. customers acting as suppliers?

5.3 Design and development of new or changed services

Does the documented design and changes to the SMS include:

M, 4.1 & 4.5

1. authorities/authority levels for delivery?

2. responsibilities for delivery

3. activities for delivery?

Does the documented design include human resources requirements as:

1. education? 4.4 & 4.5

2. training? 4.4 & 4.5

3. skills? 4.4 & 4.5

4. experience? 4.4 & 4.5

5. budget and operating income? 4.4, 4.5 & 6.4

6. changes to technology? 4.5 & 6.3

7. new technology? 4.5 & 6.3

8. changes to service management plans (within the design)?

4.5

9. changes to service management policies?

4.1 & 4.5


43


5

YE

S

NO

IN P

RO

G.

N/A


10. changes to contracts (including any new contracts)?

4.5 & 7.2

11. changes to documented agreements with internal groups?

4.2, 4.5 & 6.1

12. changes to documented agreements with customers (when acting as suppliers)?

4.2, 4.5 & 6.1

13. changes to the catalogue of services?

4.2, 4.5 & 6.1

14. new or changes to SLAs? 4.2, 4.5 & 6.1

15. procedures for the delivery of the new or changed services?

4.3

16. measures for the new or changed services?

4.2&4.5&6.1&6.2

17. information to be used for delivery of the new or changed services?

4.2, 4.5, 6.2 & 6.6

18. does the design enable the service provider to fulfil service requirements?

4.1 & 5.4

Have the services been developed in accordance with the documented design?

4.2 & 4.5

5.4 Transition of new or changed services

Are the new services tested? 4.5 & 9

Do the tests compare the services to the service requirements?

4.5 & 9

Do the tests compare the services to the documented design?

4.5 & 9

Do the tests compare the services to the agreed service acceptance requirements?

4.5 & 9

Are decisions made by the service provider and interested parties on actions if the service acceptance criteria are not met?

4.5 & 9

Are actions taken, including deployment, if the service acceptance criteria are not met?

4.5 & 9

Is the release and deployment process used to deploy services into the live environment?

9.3

Is there a report of actual outcomes achieved compared to expected outcomes?

9

Is the report sent to interested parties? 4.5 & 9


44


45

6 Service delivery processes

6.1 Service level management

SLM interfaces to many other processes, including the other parts of the supply chain – supplier management and business relationship management. Some common interfaces are shown in Figure 6. This affects the requirements and should be considered when using the self-assessment workbook.

Figure 6 – Relationships between the SMS, SLA and catalogue

Interviewee name:

Role: Time in role:


Assessor /ref.:


Service level management 6.1

YE

S

NO

IN P

RO

G.

N/A


Is the service level management process documented?

4.3

Are the services to be delivered agreed with the customer?

Is there a documented catalogue of services?

4.3

Is the catalogue in the customer's language?

4.3

Is the catalogue agreed with the customer?

ADV

Does the catalogue include the services delivered?

Does the catalogue include dependencies between services?


46


YE

S

NO

IN P

RO

G.

N/A


Is there at least one SLA for each service delivered?

Are the SLAs documented? 4.3

Do the SLAs take the service requirements into consideration?

4.1

Do the SLAs include:

1. service targets?

2. workload characteristics?

3. exceptions?

Is there a service review procedure? ADV

Is there a service catalogue and SLA review procedure?

ADV

Is there a documented agreement (with internal groups / customers acting as suppliers) for the review procedure?

ADV

Does the service provider review services with the customer?

7.1

Does the service provider review SLAs with the customer?

7.1

Is there a timetable of planned service reviews?

Are results of reviews recorded? M

Are records of reviews used to identify the causes of nonconformities?

M

Are records of reviews used to identify opportunities for improvement?

M

Is the change management process used to control:

9.2

1. documented service requirements?

2. catalogue of services?

3. SLAS?

4. other documented agreements?

Is the catalogue of services realigned / maintained when services change?

9.2

Is the catalogue of services realigned / maintained when SLAs are changed?

9.2

Is there a documented agreement defining activities and interfaces between the service provider and internal groups that is:

4.2 & 4.5

1. agreed with the internal groups?

2. reviewed?

3. maintained as the result of the review?


47


YE

S

NO

IN P

RO

G.

N/A


Is there a documented agreement defining activities and interfaces between the service provider and customers (when acting as suppliers) that is:

4.2 & 4.5

1. agreed with the customers?

2. reviewed?

3. maintained as the result of the review?

Does the service provider monitor performance of the internal group against commitments, including service targets?

4.2 & 4.5

Is the monitoring to a planned timetable?

Is the performance of the customer (when acting as a supplier) monitored?

4.2 & 4.5

Is the monitoring against commitments, including service targets?

4.2 & 4.5

Is the monitoring to a planned timetable?

Are results recorded? 4.3

Are the recorded results reviewed? 4.2 & 4.5

Does the review identify the causes of nonconformities?

4.2 & 4.5

Does the review identify opportunities for improvement?

4.2 & 4.5


48


49

6.2 Service reporting

Service reporting affects every process in Part 1 including those in Clause 4 (general requirements for the service management system, including the PDCA cycle). This should be considered when assessing any process. In addition, the assessment of service reporting should consider the design of reports, the relationship between them and the quality of overall control.

There are many advantages to assessing and improving the quality of service reports early in an improvement programme, as the information obtained from good quality metrics and reports will provide invaluable input to planning service improvements, new and changed services and new processes.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Service reporting 6.2

YE

S

NO

IN P

RO

G.

N/A


Is the service reporting process documented?

4.3

Are there documented descriptions of each service report including:

1. identity?

2. purpose?

3. audience?

4. frequency?

5. data sources?

Are the documented descriptions of reports agreed by the service provider and interested parties?

Are service reports produced for services?

.

Do the service reports use information from:

1. the delivery of services?

2. SMS activities, including service management processes?

Does service reporting include at least:

1. performance against service targets?

2. information about major incidents?

3. deployment of Clause 5 services?

4. invocation of the service continuity plan?

5. workload volumes?


50

Service reporting 6.2

YE

S

NO

IN P

RO

G.

N/A


6. periodic changes in workload volumes?

7. other workload characteristics?

8. nonconformities against Part 1 requirements?

9. nonconformities against SMS requirements?

10. nonconformities against service requirements?

11. causes of nonconformities?

12. trends?

13. customer satisfaction measurements?

14. analysis of customer satisfaction measurements?

15. service complaints?

16. analysis of service complaints?

Are decisions taken on the basis of service reports?

Are actions taken on the basis of service reports?

Are agreed actions communicated to interested parties?


51

6.3 Service continuity and availability management

Part 1 includes service continuity and availability management in one clause because the requirements for each process are similar. However, Part 1 does not require a service provider to have merged the processes (or to have a single team responsible for both).

If the service provider considers the two processes to be combined as a single process, e.g. with a single plan for both, the questions given below can be adapted to assess them as a single process.

There should be very close integration between the two processes even if they are separate, and this should be taken into consideration when doing the assessment.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Service continuity and availability management

6.3

YE

S

NO

IN P

RO

G.

N/A


Is (are) the service continuity and availability management process (or processes) documented?

4.3

Is there demonstrable coordination between the availability management process and closely linked processes, including:

ADV

1. backup recovery and scheduling?

2. service planning?

3. configuration management?

4. security?

5. incident management?

6. software and hardware maintenance?

6.3.1 Service continuity and availability requirements

Are risks to the service continuity assessed and documented?

4.1.1 & 4.5.2

Are risks to the availability of services assessed and documented?

4.1.1 & 4.5.2

Are service continuity requirements identified?

4.5

Are service continuity requirements agreed with the customer?

6.1 & 7.1

Are service continuity requirements agreed with interested parties?

4.2 & 4.5

Are availability requirements identified? 4.5

Are availability requirements agreed with the customer?

6.1 & 7.1

Are availability requirements agreed with interested parties?

4.2 & 4.5


52


6.3

YE

S

NO

IN P

RO

G.

N/A


Do the agreed requirements for service continuity take into account:

1. applicable business plans? 4.5 & 7.1

2. service requirements? 4.5, 6.1 & 7.1

3. SLAs? 4.5, 6.1 & 7.1

4. risks? 4.1.1 & 4.5.2

5. access rights to the services? 8.1

6. service response times? 6.5

7. end-to-end availability of services? 4.5

Do the agreed requirements for availability take into account:

1. applicable business plans? 4.5 & 7.1

2. service requirements? 4.5, 6.1 & 7.1

3. SLAs? 4.5, 6.1 & 7.1

4. risks? 4.1.1 & 4.5.2

5. access rights to the services? 8.1

6. service response times? 6.5

7. end-to-end availability of services? 4.5

6.3.2 Service continuity and availability plans

Are service continuity plans:

1. available (and documented)? 4.3

2. compatible with the customer's overall business plans?

ADV

3. implemented?

4. maintained?

5. under the control of change management?

9.2

Do the service continuity plans include:

1. documented procedures for the period following a major loss of service..…..or a reference to the procedures in the plan?

4.3

2. targets for availability post-invocation of the service continuity plan?

6.1 & 7.1

3. requirements for recovery of normal services post-invocation of the service continuity plan?

4. the approach proposed for the return to normal?


53


6.3

YE

S

NO

IN P

RO

G.

N/A


Have arrangements been made for the following to be available when access to the usual locations is not possible:

1. service continuity plans?

2. contact lists?

3. configuration management database (CMDB)?

Are availability plans:

1. available and documented? M & 4.3

2. compatible with the customer's business continuity plans

ADV

3. implemented? M

4. maintained? M

5. under the control of change management?

M

Do the availability plans include:

1. availability requirements? 4.5,6.1&7.1

2. availability targets? 4.5,6.1&7.1

6.3.3 Service continuity and availability monitoring and testing

Are service continuity plans tested against requirements? M

Are issues that might affect availability predicted during testing and prevented?

ADV

Are service continuity plans retested after major changes to the service environment?

M

Are the results of tests and retests recorded?

M

Are availability audits carried out to supplement the testing of plans and to identify weak or potentially weak / single points of failure?

ADV

Is the availability of services monitored? 6.2

Are the results of monitoring recorded? 6.2

Is the actual availability compared to agreed targets?

6.2

Is an investigation done when lost availability is unplanned?

8.2

Are actions taken as the result of the investigation into lost availability?

4.5


54


6.3

YE

S

NO

IN P

RO

G.

N/A


Are availability plans tested against requirements?

Are availability plans retested after major changes to the service environment?

5 & 9.2

Are the results of tests and retests recorded?

M

Are the test results used for reviews of the service continuity plans?

4.5

Is a review conducted after the service continuity plan is invoked?

Is action taken when deficiencies are found in the service continuity plans?

4.5

Is there a report on the action taken?


55

6.4 Budgeting and accounting for services

Financial management includes budgeting, accounting and charging. Only budgeting and accounting are included in Part 1.

Although many service providers charge for their services, charging is not appropriate for all service providers. It is recommended that where charging is done, the charging should be to best practice standards, although best practices on charging are not a requirement for achieving Part 1.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Budgeting and accounting for services 6.4

YE

S

NO

IN P

RO

G.

N/A


Is the budgeting and accounting for services documented?

4.3

Is there an interface between the process for budgeting and accounting for services and other financial management processes?

Is the interface defined and documented?

Are there documented policies for budgeting and accounting for service components including:

4.3

1. assets used to provide the services (e.g. licences)?

4.1.4

2. shared resources? 4.4 & 6.5

3. overheads?

4. capital and operating expenses?

5. externally supplied services?

6. personnel?

7. facilities?

Are there documented procedures for budgeting and accounting for service components including:

4.3

1. assets used to provide the services (e.g. licences)?

2. shared resources?

3. overheads?

4. capital and operating expenses?

5. externally supplied services?

6. personnel?

7. facilities?


56

Budgeting and accounting for services 6.4

YE

S

NO

IN P

RO

G.

N/A


Is there a documented policy / policies for apportioning indirect costs to services?

4.3 ;

Is there a documented procedure for apportioning indirect costs to services?

4.3

Is there a documented policy / policies for allocating direct costs to services?

4.3

Is there a documented procedure for allocating direct costs to services?

4.3

Is the financial control by the budgeting and accounting process effective?

Are the main areas of expenditure broken down into cost units that are appropriate for the budgeting and account?

ADV

Are the actual costs:

1. monitored?

2. reported against the budget

3. used for financial forecasts?

4. managed?

Where appropriate, are procedures adopted for cost recovery?

ADV

If charging is done, is influencing customer behaviour a factor in setting prices?

ADV

Is it possible to provide an overall cost for each service?

Is information provided to the change management process to support the costing of requests for change?


57

6.5 Capacity management

Like many processes, capacity management might need to process a wide variety of inputs. Capacity management can also produce a wide variety of outputs. Both input and output can also vary over time. Figure 7 shows some of the inputs and outputs. When assessing capacity management care should be taken to check that the inputs and outputs not only fulfil the Part 1 requirements, but are also appropriate to the service provider’s circumstances.

Figure 7 – Capacity management inputs and outputs

Interviewee name:

Role: Time in role:


Assessor /ref.:


Capacity management 6.5

YE

S

NO

IN P

RO

G.

N/A


Is the capacity management process documented?

4.3

Are capacity and performance requirements identified?

Are capacity and performance requirements agreed with the customer?

Are capacity and performance requirements agreed with interested parties?

Does the service provider have a documented capacity plan?

4.3


58

Capacity management 6.5

YE

S

NO

IN P

RO

G.

N/A


Does the capacity plan take into account resources of the following types:

1. human?

2. technical?

3. information?

4. financial

Does the capacity plan include current demand for services?

Does the capacity plan include forecast demand for services?

Does the capacity plan include forecast impact of:

1. agreed availability requirements?

2. service continuity requirements?

3. service level requirements?

4. statutory changes? M

5. changes to regulations? M

6. contractual changes? M

7. organizational changes? M

8. impact of new technologies? M

9. impact of new techniques? M

For upgrades to service capacity does the capacity plan include :

1. timescales?

2. thresholds?

3. costs?

Are there documented procedures for predictive analysis of capacity and performance?

4.3

Is the capacity plan:

1. implemented? M

2. maintained? M

3. under the control of the change management process?

M

Is the actual capacity usage monitored?

Is the monitored usage analysed?

Is the performance tuned?

Is there sufficient capacity to fulfil agreed capacity and performance requirements?


59

6.6 Information security management

Information security is control based, with the control being equivalent to the requirements in Part 1, that is a process or activity that is required.

The ISO/IEC 27000 family of standards specifies requirements and provides guidance to support the implementation and operation of an information security management system.

A service provider certified against ISO/IEC 27001 could also achieve the standards required for security detailed in this section of the workbook. However, this is not always the case. For example, major changes could have occurred since the audit against ISO/IEC 27001 that mean the service provider would no longer meet the requirements of ISO/IEC 27001 or of ISO/IEC 20000-1, Clause 6.6. The scope of the ISO/IEC 27001 certification audit could be different to the scope of an assessment under ISO/IEC 20000-1. This workbook assumes that Part 1 Clause 6.6 will be assessed, irrespective of the status of certification under ISO/IEC 27001. The ISO/IEC 27000 series will provide information useful for the Part 1, Clause 6.6 assessment using this workbook.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Information security management 6.6

YE

S

NO

IN P

RO

G.

N/A


Is the information security management process documented?

4.3

Is the manager responsible for information security familiar with the ISO/IEC 27000 series, in particular ISO/IEC 27001?

ADV

6.6.1 Information security policy

Is the policy documented and approved by management with appropriate authority?

4.3

Is the policy approved by management with the seniority to understand:





Do management communicate:

1. the policy?

2. the importance of conforming to the policy?


60


YE

S

NO

IN P

RO

G.

N/A


Is the communication to appropriate personnel within the following organizations:

1. service provider?

2. customer?

3. suppliers?

Do management ensure there are documented information security objectives?

Are the objectives communicated and understood?

Are the objectives used as part of the information security management process?

Is there a documented approach to management of information security risks?

Does the approach include the use of agreed criteria for accepting some risks?

Are the risks assessed?

Is the risk assessment according to an agreed timetable?

Are internal information security audits conducted?

Are the results of the audits reviewed to identify opportunities for improvement?

6.6.2 Information security controls

Have the following information security controls been implemented:

1. physical?

2. administrative?

3. information?

Are information security controls for access by the external organizations documented?

Have the documented controls been agreed by the service provider and each external organization?

Have the documented controls been implemented by the service provider and each external organization?

M


61


YE

S

NO

IN P

RO

G.

N/A


Have the following controls been successfully operated:

1. physical?

2. administrative?

3. information?

4. those implemented by the service provider and each external organization identified?

M

Is the following provided by operation of the controls:

1. confidentiality of information assets?

2. integrity of information assets?

3. accessibility of information assets?

4. fulfilment of the information security policy?

5. achievement of the information security objectives?

6. management of information security risks?

Are the controls documented?

Does the documentation of each control include:

1. a description of the risks to which the control relate?

2. the operation of the control?

3. the maintenance of the control?

Is the effectiveness of the controls reviewed?

Is action taken as the result of the review of controls?

Is the action taken reported on?

Have external organizations that need to access or use or manage the service provider’s information been identified?

Have external organizations that need to access or use or manage the service provider’s services been identified?


62


YE

S

NO

IN P

RO

G.

N/A


6.6.3 Information security changes and incidents

Are requests for change assessed to identify:

1. new information security risks?

2. changes to risks previously identified and assessed?

3. potential impact on the existing information security policy?

.

4. potential impact on the existing information security controls operated by the service provider?

5. potential impact on the existing information security controls operated by external organizations?

Are information security incidents managed using incident management procedures?

4.3

Is the priority allocated to information security incidents suitable for the risk associated with each incident?

Is the following analysed for information security risks:

1. types?

2. volumes?

3. impacts?

Are the information security incidents reported?

Are the reports reviewed to identify opportunities for improvement?


63

7 Relationship processes

Relationship processes describe the two related aspects of business relationship management and supplier management. This should be considered when relationship processes are being assessed.

7.1 Business relationship management

Interviewee name:

Role: Time in role:


Assessor /ref.:


Business relationship management process

7.1

YE

S

NO

IN P

RO

G.

N/A


Is the business relationship management process documented?

4.3

Have the following been identified and documented for the service(s):

1. customer(s)?

2. users?

3. interested parties?

Is there an individual identified to have responsibilities towards each customer?

Do the responsibilities include:

1. customer relationship?

2. customer satisfaction?

Is there a communication mechanism with each customer?

Does the mechanism promote understanding of:

1. the customer's business environment ?

2. requirements for new services?

3. requirements for changes to services?

Does the information and understanding enable the service provider to respond to new or changed requirements?

Is the performance of the services reviewed?

Is the performance review at planned / timetabled intervals?

Is the review with the customer?


64

Business relationship management process

7.1

YE

S

NO

IN P

RO

G.

N/A


Are changes to service requirements:

1. documented by the BRM process?

2. under the control of the change management process?

Are changes to SLAs coordinated with the service level management process?

Is there a definition of 'service complaint'?

Is the definition agreed with the customer'?

Is there a documented procedure to manage service complaints from the customer?

4.3

Does the procedure take into account the definition of a service complaint?

For each service complaint is the service complaint:

1. recorded?

2. investigated?

3. acted upon?

4. reported?

5. closed when resolved or escalated?

Is there an escalation route for complaints not resolved by the normal procedure?

Is the customer aware of how to escalate an unresolved complaint?

Is customer satisfaction measured?

Is the measurement at planned intervals / to a predetermined timetable?

Is the measurement based on a representative group of customers and users?

Are the results analysed?

Are the results reviewed to identify opportunities for improvements?


65

7.2 Supplier management

The actual selection of suppliers and the procurement of services is outside the scope of Part 1.

The role of suppliers and how supply chains affect applicability and scope of the 20000 series are given in Part 3, primarily as scenario-based examples.

The service provider is permitted to use suppliers to implement and operate some parts of the service management processes. This is also affected by the need to have governance of processes operated by other parties.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Supplier management 7.2

YE

S

NO

IN P

RO

G.

N/A


Is the Clause 7.2 process documented? 4.3

Is there an individual (this may be one individual for several suppliers) responsible for managing the following for each supplier:

1. relationship between the service provider and supplier?

2. contract with the supplier?

3. performance of the supplier?

Is there a documented contract? 4.3

Is the contact agreed (signed)?

Does the contract include or refer to:

1. the scope of the services to be delivered?

2. the dependencies between services, processes and the parties involved?

3. all parties that affect dependencies identified in the contract?

4. a mechanism for ensuring any sub-contracted suppliers deliver the required service?

ADV

Are the responsibilities of the supplier documented clearly in the contract:

10. requirements to be fulfilled?

11. service targets to be met?


66


YE

S

NO

IN P

RO

G.

N/A


Does the contract include interfaces between service management processes operated by the supplier and the following:

1. other suppliers?

2. sub-contracted suppliers (for lead suppliers)?

3. internal groups (internal to the service provider's organization)?

4. customers, when acting as suppliers?

Does the contract require integration of the supplier's activities within the SMS?

Does the contract identify the characteristics of the workload to be dealt with by the supplier (e.g. seasonal trends, peaks and troughs in business activities)?

Are contract exceptions included?

Is handling of contract exceptions described?

Are the authorities / authority levels of the service provider included?

Are the authorities / authority levels of the supplier included?

Are the responsibilities of the service provider included?

Are the responsibilities of the supplier included?

Is reporting by the supplier included?

Is communication by the supplier included?

Is the basis for charging by the supplier included?

Is management of contract termination included, including the activities and responsibilities of all parties for:

1. planned termination (date in the contract)?

2. early termination by the service provider?

3. early termination by the supplier?

Are service levels agreed with the supplier?

Do the agreed service levels support and align with the service provider's SLA with their customer?

Is the relationship between each lead and sub-contracted supplier documented?


67


YE

S

NO

IN P

RO

G.

N/A


Are the roles of each of the lead and sub-contracted suppliers documented?

Does the service provider check that each lead supplier is managing each sub-contracted supplier?

Does this check include fulfilment of contractual obligations of:

1. each sub-contracted supplier?

2. each lead supplier?

Is the performance of each supplier monitored?

Is the monitoring to an agreed timetable?

Is the performance of each supplier measured against service targets?

Are the results of the performance measurement recorded?

Is the performance of each supplier measured against other contractual obligations?

Are the results of the performance measurement recorded?

Are recorded results reviewed to identify:

1. the causes of nonconformities?


3. if the contract still reflects current requirements?

Are changes to the contract controlled by the change management process?

Is there a procedure for service provider and supplier contractual disputes?

Is the procedure documented?


68


69

8 Resolution processes

Incident, service request and problem management are closely linked. This should be considered when the topics are being assessed. Names for processes can be different in practice to those used in the 20000 series, as long as the requirements are met.

8.1 Incident and service request management

Incident and service request management are dependent on problem management and vice versa.

In the 20000 series major incidents are a special type of incident where there may be deviations from

the normal process and procedures for incident management. Deviations are limited to incidents that

meet the definition of major incident agreed in advance.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Incident and service request management

8.1

YE

S

NO

IN P

RO

G.

N/A


Is (are) the incident and service request process (processes) documented?

4.3 & 6.6

Is there a documented procedure that defines incident:

4.3

1. recording? 6.6

2. allocation of priority? 6.6

3. classification? 6.6

4. updating of records? 6.6

5. escalation? 6.6

6. resolution? 6.6

7. closure? 6.6

For priority setting, is the priority influenced by:

M

1. impact? M & 6.6

2. urgency? M & 6.6

Is the customer kept informed of the progress of their reported incident?

M

Is the customer informed if incident service targets cannot be met?

Are interested parties informed if incident service targets cannot be met?

If the incident target is at risk or failed is it escalated according to a procedure?

Are all incidents logged electronically? ADV


70


8.1

YE

S

NO

IN P

RO

G.

N/A


Does the incident logging / recording process take input via:

ADV

1. telephone?

2. email?

3. automated alert software?

4. direct logging by the end-user?

Is the procedure used for all incidents?

Can personnel involved in incident management access relevant information?

M

Do personnel involved in incident management use the relevant information they have access to?

M

Does information used in incident management include the following:

M

1. procedures? M

2. known errors? M

3. problem resolutions? M

4. CMDB? M

5. success or failure of releases? M

6. future release dates? M

Is there a documented procedure for managing service request fulfilment?

4.3

Does the procedure cover all stages from recording to closure, including setting priorities?

For priority setting, is the priority influenced by:

M

1. impact? M

2. urgency? M

Are all service requests logged electronically?

ADV

Does the service request logging / recording process take input via:

ADV

1. telephone?

2. email?

3. direct logging by the end-user?

Is the procedure used? .

Is the procedure used for fulfilment of all service requests?

Can personnel involved in service request fulfilment access relevant information?

M

Do personnel involved in service request fulfilment use the relevant information they have access to?

M


71


8.1

YE

S

NO

IN P

RO

G.

N/A


Does information used in service request fulfilment include the following:

1. procedures?

2. known errors?

3. problem resolutions?

4. CMDB?

5. success or failure of releases?

6. future release dates?

Is the customer kept informed of the progress of their reported service request?

Is the customer informed if service request targets cannot be met?

.

Are interested parties informed if service request targets cannot be met?

Is an at risk or failed service request target escalated according to the procedure?

For major incidents:

1. is there a definition of major incidents?

2. is this documented?

3. is it agreed with the customer?

Are major incidents classified according to the agreed definition?

Are the major incidents managed according to a procedure?

Is the procedure documented?

Does the procedure require top management to be informed of the major incident?

.

Are top management informed according to the procedure?

Do top management ensure that the major incident manager is appointed?

Does the major incident manager have responsibility for the major incident?

Are major incidents reviewed after service has been restored?

Does the review identify opportunities for improvement?


72


73

8.2 Problem management

The intention of the problem management process is to ensure the causes of service interruptions are

understood and action is taken to minimize the disruption of the customer’s service.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Problem management 8.2

YE

S

NO

IN P

RO

G.

N/A



Is there a documented procedure for: 4.3

1. minimizing the impact of incidents?

2. minimizing the impact of problems?

Does the procedure also cover:

1. identification?

2. recording?

3. allocation of priority?

4. classification?

5. updating of records?

6. escalation?

7. resolution?

8. closure?

Is the procedure followed?

Is incident data analysed by problem management to identify:

1. trends?

2. root causes?

3. possible preventive action?

Is problem data analysed by problem management to identify:

1. trends?

2. root causes?

3. possible preventive action?


74

Problem management 8.2

YE

S

NO

IN P

RO

G.

N/A


When a method of problem resolution is identified, is a check made to see if this requires a change to a CI?

When a CI will be changed by resolution, is a request for change raised?

If the root cause is understood but the problem is not to be permanently resolved ,are actions identified to reduce or eliminate the impact of the problem?

Are the actions identified taken?

Are the problems where the root cause is understood but not to be resolved recorded as known errors?

Is the effectiveness of problem resolution:

1. monitored?

2. reviewed?

3. reported?

Is up-to-date information on known errors available to incident management?

8.1

Is up-to-date information on problem resolutions made available to incident management?

8.1


75

9 Control processes

The integration of control processes is particularly important. This should be considered when assessing these processes. All three control processes are linked to many other processes. This is especially the case for change management. Clause 5, transition of new or changed services is linked to all three of the control processes.

9.1 Configuration management

The scope of the configuration management process excludes financial asset management.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Configuration management 9.1

YE

S

NO

IN P

RO

G.

N/A



Is there a definition for each type of CI?

Is the definition documented?

Is the following held for each CI:

1. description of the CI?

2. relationship(s) between the CI & other CIs?

3. relationship(s) between the CI and service components?

4. status?

5. version?

6. location?

7. associated requests for change?

8. associated problems and known errors?

Is each CI uniquely identified?

Is that identification recorded in a CMDB?

Is the CMDB managed to ensure:

1. reliability?

2. accuracy?

3. control of update access?


76


YE

S

NO

IN P

RO

G.

N/A


Does a documented procedure for versions of CIs cover:

4.3

1. recording?

2. controlling?

3. tracking?

Is the control of CIs good enough for:

1. maintaining the integrity of the services?

2. maintaining integrity of service components?

3. fulfilment of service requirements?

4. management of risks for each type of CI?

Are the records in the CMDB audited?

Is the audit done at planned intervals (to a timetable)?

Is appropriate action taken identified when deficiencies are found during the audit?

Is the action taken reported on?

Is information from the CMDB provided to the change management process?

.

Is the information provided suitable to support requests for change?

Are changes to CIs traceable?

Are changes to CIs auditable?

Is the audit trail of changes suitable to ensure:

1. integrity of the CIs?

2. integrity of the data on CIs in the CMDB?

Are audit results available as evidence of suitability?


77


YE

S

NO

IN P

RO

G.

N/A


Is a configuration baseline taken before deployment into the live environment?

Is there a configuration baseline (of the CIs to be affected by the release being deployed)?

Are master copies of CIs recorded in the CMDB?

.

Does this include: M

1. documentation?

2. licence information?

3. software?

4. any available images of hardware configurations?

Are the recorded master copies stored in a secure library:

1. either physical?

2. or electronic?

Is the secure storage referenced in the configuration records on the CMDB?

Is there an interface between the configuration management process and financial asset process?

Is the interface defined and documented?


78


79

9.2 Change management

Change management plays an important role in the implementation of new and changed services (Section 5 of this workbook). This should be considered when assessing either the implementation of new or changed services or the change management process.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Change management 9.2 Y

ES

NO

IN P

RO

G.

N/A


Is there a documented change management policy?

4.3

Does the policy cover:

1. identification of CIs under the control of change management?

2. criteria defining high risk changes to which Clause 5 is also applied?

Does the criteria in the change management policy include all:

1. removals of a service?

2. transfers of services to a different party?

3. changes to services that have the potential to have a major impact on the services?

4. changes to services that have the potential to have a major impact on the customer?


Are all changes that meet the criteria in the change management policy managed by:

1. the change management process? M

2. and by Clause 5 (new and changed services)?

M

Does the assessment of a change use information on failed releases?

9.3

Is there a documented procedure for request for change:

4.3

1. recording?

2. classification?

3. assessment?

4. approval?


80

Change management 9.2

YE

S

NO

IN P

RO

G.

N/A



Is there a definition of emergency change?

Is the definition documented?

Is the documented definition agreed?

Is there a documented procedure for managing emergency changes?

M & 4.3

Is there an interface between the emergency change management process and the release and deployment process?

9.3

Is a request for change produced for all changes to services?

Is a request for change produced for all changes to service components?

Do requests for change have a defined scope?

Are all requests for change recorded?

Does the record include a change classification (e.g. pre-agreed, normal, emergency)?

Are requests for change assessed using information from:

1. the change management process?

2. the release and deployment management process?

3. other processes?

Are decisions on the acceptance of requests for change made by:

1. the service provider?

2. interested parties?

Does decision making consider:

1. risks?

2. potential impacts to services?

3. potential impacts to service requirements?

4. new or changed service requirements?

5. potential business benefits?

6. technical feasibility?

7. financial impact?


81

Change management 9.2

YE

S

NO

IN P

RO

G.

N/A


Are approved changes:

1. developed?

2. tested?

Is there a documented schedule of changes?

Does the schedule of changes include:

1. details of approved changes?

2. proposed deployment dates?

Is the schedule communicated to interested parties?

Is the schedule of change used for planning deployment of releases?

Are suitable actions identified for unsuccessful changes?

.

Are the actions included in a plan as part of the change request?

Is the plan tested where possible?

Are unsuccessful changes:

1. reversed according to the plan?

2. remedied according to the plan?

Are unsuccessful changes investigated?

Are actions agreed as the result of the investigation?

Are the agreed actions taken?

Are CMDB records updated following successful deployment of changes?

Are changes reviewed for effectiveness?

Are actions identified as the result of the review?

Are identified actions agreed with interested parties?

Are agreed actions taken?

Are requests for change analysed?

Is the analysis done at planned intervals (to a timetable)?

Does the analysis detect trends?

Are the results and conclusions from the analysis recorded?

Are the recorded results analysed?

Does the analysis provide opportunities for improvement?


82


83

9.3 Release and deployment management

A release is used when one of more changes are better batched and deployed together. The decision

to deploy a release is not made ad hoc. A policy defines what types and frequency of releases. There

is a strong link and inter-dependency between the Part 1, Clause 5 requirements for the additional

protection provided by release management process and the control processes, including the release

and deployment management process.

Interviewee name:

Role: Time in role:


Assessor /ref.:


Release and deployment management 9.3

YE

S

NO

IN P

RO

G.

N/A


Is there a release policy?

Does the release policy state the types and frequency of releases?

Is the release policy agreed with the customers?


Is there a plan for the deployment of new or changed services and service components (Clause 5 changes)?

Does the plan cover deployment into the live environment?

Is the plan developed with the involvement of the customers?

Is the plan developed with the involvement of interested parties?

Is the plan agreed by the involved customers and interested parties?

Is planning coordinated with the change management process?

Does the planning include references to any:

1. related requests for change?

2. known errors?

3. problems being closed by the release?

4. dates for deployment of each release?

5. deliverables from each release?

6. methods of deployment?

Is there a documented definition of an emergency release?

Is the definition agreed with the customer?


84


YE

S

NO

IN P

RO

G.

N/A


Is there a documented procedure for management of emergency releases?

4.3

Does the procedure interface to the emergency change procedure?


Are releases completely built before deployment?

Are releases tested before deployment?

Is there an acceptance test environment?

Is the acceptance test environment controlled?

Is the test environment used for building releases?

Is the test environment used for testing releases?

Are there acceptance criteria for releases?

Are the acceptance criteria agreed with the customer?

Are the acceptance criteria agreed with interested parties?

Is each release verified against the agreed acceptance criteria?

Is the verification used as input to an approval process?

Are only approved releases deployed?

If verification shows the acceptance criteria are not met, are decisions made on next steps (e.g. correction, withdrawal etc.)?

Are the decisions on next steps made with interested parties?

Are approved releases deployed into the live environment in a way that maintains the integrity of:

1. hardware?

2. software?

3. other service components?

Are the activities for management of an unsuccessful release by reversal or remediation:

1. planned?

2. tested if possible?


85


YE

S

NO

IN P

RO

G.

N/A


Is the success or failure of a release monitored?

M

Does the monitoring include measurement of incidents related to the release?

M

Does the monitoring continue for a suitable period after the release is deployed into the live environment?

M

Are the results of the monitoring analysed?

M

Does the analysis include assessment of the impact of the release on the customer?

M

Are the results of the analysis of both successful and unsuccessful releases recorded?

M

Are opportunities for improvements identified by the investigation?

Are unsuccessful releases investigated?

Are opportunities for improvements identified by the investigation?

Are actions taken as the result of the investigation?

Are the actions taken first approved?

Are unsuccessful releases actually reversed or remedied?

Is information about successful and failed releases provided to the:

1. change management process?

2. incident management process?

3. service request management process?

Does the information provided include future release dates (e.g. following fixing of the deficiencies)?

Is information on successful releases provided to the change management process?

Is the information provided suitable for the assessment of the impact of requests for change on releases and deployment plans?


86


87

Annex A – Bibliography and other sources of information

Handbooks

Jenny Dugmore (2011) The ISO/IEC 20000 Service Management Handbook, ConnectSphere, ISBN-13: 978 1 908 77200 8

Other handbooks will be available in 2012. They include advice on the use of ITIL to achieve Part 1

requirements, governance of IT, information security and customer satisfaction management. See

http://www.connectsphere.com.

Other books

Jenny Dugmore and Shirley Lacy (2011) Introduction to the ISO/IEC 20000 series: IT Service Management, BSI, ISBN-13: 978 0 580 72846 4

Jenny Dugmore and Shirley Lacy (2011) A Manager's Guide to Service Management, BSI (6th edition), ISBN-13: 978 0 580 72845 7

Lynda Cooper (2011) A Guide to the new ISO/IEC 20000-1: The differences between 2005 and 2001 editions, BSI, ISBN-13: 978 0 580 72850 1

Toolkits

Shirley Lacy and Jenny Dugmore (2012) ITSM, ITIL® & ISO/IEC 20000 Implementation Toolkit, IT Governance, CD (2nd edition, ITIL accredited)

Standards

ISO/IEC 20000-1, Information technology — Service management — Part 1: Service management system requirements

ISO/IEC 20000-2, Information technology — Service management — Part 2: Guidance on the application of service management systems

ISO/IEC 20000-3, Information technology — Service management — Part 3: Guidance on scope definition and applicability for ISO/IEC 20000-1

ISO/IEC TR 20000-4, Information technology — Service management — Part 4: Process reference model

ISO/IEC TR 20000-5, Information technology — Service management — Part 5: Exemplar implementation plan for ISO/IEC 20000-1

ISO 9000, Quality management systems — Fundamentals and vocabulary

ISO 9001, Quality management systems — Requirements

ISO 9004, Quality management systems — Guidelines for performance improvements

ISO 10002, Quality management — Customer satisfaction — Guidelines for complaints handling in organizations

ISO/IEC 17021:2011, Conformity assessment — Requirements for bodies providing audit and certification of management systems

ISO 19011, Guidelines for quality and/or environmental management systems auditing

ISO/IEC 19770-1, Information technology — Software asset management — Part 1: Processes

ISO/IEC/IEEE 24765, Systems and software engineering — Vocabulary

ISO/IEC 27000, Information technology — Security techniques — Information security management systems — Overview and vocabulary


88

ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements

ISO/IEC 27005, Information technology — Security techniques — Information security risk management

ISO 31000, Risk management — Principles and guidelines

ITIL and other (UK Government) Cabinet Office publications

Office of Government Commerce (2005) Managing Successful Projects with PRINCE2, TSO, ISBN-13: 978 0 113 30946 7

The Project Management Institute (2008) A Guide to the Project Management Body of Knowledge (PMBOK® Guide), 4th edition, Project Management Institute, ISBN-10: 19 3069 945 X, ISBN-13: 978 1 930 69945 8

Cabinet Office ITIL Glossaries (www.best-management-practice.com/IT-Service-Management-ITIL)

Cabinet Office (2011) Service Strategy, TSO, ISBN-13: 978 0 113 31307 5

Cabinet Office (2011) Service Design, TSO, ISBN-13: 978 0 113 31305 1

Cabinet Office (2011) Service Transition, TSO, ISBN-13: 978 0 113 31306 8

Cabinet Office (2011) Service Operation, TSO, ISBN-13: 978 0 113 31307 5

Cabinet Office (2011) Continual Service Improvement, TSO ISBN-13: 978 0 113 31308 2

Office of Government Commerce (2010) The Introduction to the ITIL Service Lifecycle, TSO ISBN-13: 978 0 113 31062 3

COBIT, ISACA and ITGI publications

CobiT® 4.1, 2007, www.isaca.org/cobit – The CobiT framework (being updated to COBIT 5)

CobiT® User Guide for Service Managers, 2009 Implementing and Continually Improving IT Governance

ITGI Enables ISO/IEC 38500:2008 Adoption, 2009

Web addresses

www.isaca.org

www.iso.org

www.itgi.org

www.itgovernance.co.uk

www.itil-officialsite.com

http://www.isaca.org/

http://www.iso.org/

http://www.itgi.org/

http://www.itgovernance.co.uk/

http://www.itil-officialsite.com/