ISO 20000:2018

IT Service Managment (ITSM)

For encompasses
Design
Design
Develop Services related ti IT
services and for its Offering
Deliver custumers
Improving IT services
Control
Operate

ITSM is based in

Bussines Outside IT Employee Satisfaction Productivity

Adopting ITSM

Control Processes & Workflows Operational Level Tasks

ISO/IEC 27001 on information
security management system
COBIT (Control Objectives for
Information and Related Technology)
for IT
ISO 20000 series on IT service Six Sigma Methodologies
management based on its compatibility with
ITIL
ITIL (Information Technology
Infrastructure Library) is a framework
on IT service management

to ensure uninterrupted, smooth, and protected end-to-end delivery of various IT services to customers.

ISO 20000 series are the set of international standards on ITSM and shows the role for organizatios.
ISO 20000-1 is drafted based on the fundamental principles of ITIL, and companies can be certified
against it
ITIL is a set of best practices that guide organizations to align IT services from the business needs
perspective and explains how the things need to be done. ITIL can be used to implement ISO
20000-1. Organizations can implement ISO 20000-1
There are 10 parts of ISO 20000, The most importants are the 1st and 2nd part. ISO/IEC 20000-4
and ISO/IEC 20000-9, since the 2018 update, are no longer included as parts of the standard and are
declared obsolete

1.- Requirements of service management

lists requirements for establishing, implementing, maintaining, and continually improving the
organization’s SERVICE MANAGEMENT SYSTEM

Planning, desing, transition, delivery and service improvement

For CO who need to show the capability to plan, desing, transitions, deliver and improv services and
stakeholder that seek to perfom compliance assesments againsts its standar

2.- Guidance on applications of SMS

Update: 2019, improve the clarity of the guidelines. Provides examples and context to empower the Co
to interpret end integrate ISO 20000-1 in their structure, it´s like a supplementary resource for applying
the 1st part. It has Activities, explanation and other information.

3.- Guidance on scope definition & applicability of ISO/IEC 20000

FOr defining the scope and application. Basicaly it’s applied for with consultants and asssesors for
planning for a compliance assessment against ISO/IEC 20000 and includes examples in Annex A.

5.- Model implamentation Plan for IDO/IEC 20000-1

Update: 2013

Guides to integrate the fullfit requirements. It’s primarily for service providers. Provides: Plan,
implement and improve an SMS providing a sequence-based plan and the provider can choose the order
for implementate as per needs.

Includes: Examples of policies and templates of some documents as guidance on documentation

managment.

6.- Requirements for auditing 6 certifications bodies

Certification bodies can use it for auditing. Fullfiling the requirements of ISO/IEC 20000-6:2017 and
ISO/IEC 17021-1 is expected of certification bodies

7.- Correlation of 20000-1 to 9001 & 27001

The 7th part makes a correlation with Quality and Security information magaments systms. Although
you need to implementent the 9001 and the 27001. So, you can integrate a Management system
standards (MSS).

Clause 4 Application sof intigrating a MMS and HLSof MSS.

Clause 5 Applications of integrating a SMS an MMS similaties and diferences between 9001 and 20000-
1

Clause 6 Applications of integrating a SMS an MMS similaties and diferences between 9001 and 27001

Clause 7 provides considerations for integrating an SMS, a QMS, and an ISMS

Annex A: Correlation between 20000-1, 9001 and 27001

Annex B: Relationship between 20000-1 and 9001

Annex C: Relationship between 20000-1 and 27001

10. Concepts and vocabulary

Relates to the other standards and technical reports and helps identifying how different parts support
ISO/IEC 20000-1:2018. Provides a guide for: understanding definitions, implementations for auditors,
practitioners and other parties.

11.- Relationship between ISO/IEC 20000-1 & ITIL Service Managment (20000-11)

It’s for:

 Service provider who wants guindance on ITIL application/wishes demonstrate that it’s ITIL has
compliance with ISO/IEC 20000-1
 Auditors and assessors who seek understand how ITIK can support ye requirements in 20000-1

Annex A & B: provides terms and clauses that related 20000-1with ITIL

Clause 4: How ITIL supports compliance with 20000-1

Clause 5: ITIL relate in some clauses of 20000-1

 12.- Relationship Between ISO/IEC 20000-1 & CMMI-SVC v1.3

If a Co has established CMMI-SCV process áreas, it may complete it with 20000-1

A SMS provides hept to plan, desing, manage and improve informatios tegnology related services and
processes taking into account all processes and encounters throughout its lifecycle

IT Services are, but not limitated to:

 Troubleshouting services
 Networking, cloud and storage services

IT Co meed to develop, deploy, manage, optimizw and potentially retire eachservice an the Service
Level Agreement can be assosiated with each service to ensure that IT organizaction fulfills the business
expectatios and are awere of concequences if the service deliveryis subpar.

Service custumer: A consumero f services provided by a r¿the service provider. Tho, they have
expectations associated to the delivery

Roles in an ITS:

A consumer demandsa service, then de IT managers créate a strategy to capitalize the service with
Software, hardware end engineers expertise. It’s important to monitor the services to troubleshoot any
incidents that threaten service objectives. Furthermore to establish Key Performance Indicators (KPIs)
communicate them an assessing KPIs.

FOR ITSM IT’S IMPORTANT TO:

Control

Assess management

Perform changes

Monitor incidents: Optimizing asses to the potential impact of incidents

Project management: IT must show commitment to maintaining service delivery to avoid issues as an
outdated system

Best IT Service Management Standards & Frameworks

  ISO 20000
 Information Technology Infrastructure Library (ITIL)
 Control Objectives for Information and Related Technologies (COBIT)
 Microsoft Operations Framework (MOF).

The business ecosystem are the policies, procedures and the processes to fulfill the delivery of services.
The best practices are focused to meet the demanding and changing need and ITIL/20000 suit their
needs.

Provides IT managers with the ability to determine operators' actions and the handling of incidents and
service requests. These activities create high-level accountability for how the IT organization delivers
services. Furthermore, by reviewing incident records, IT managers can verify conformity with policies
and procedures.

ITSM can provide the most cost-effective plans for the acquisition and disposal of IT assets as well as
optimize the management of IT assets

Benefits

Improvement in efficiency

Improved accountability within Business activities

Reducción in operational costs

Visibity into operations

Improvement in effectiveness

Increase in self-service productivity

Businesses can optimize and standardize their service delivery by adopting formalized processes and IT
service management rules. Furthermore, an ITSM is compatible with Capability Maturity Model
Integration (CMMI).

Incident: an unplanned interruption to a service, a compromise in the quality of service. It can also be an
event that has not yet impacted the service to the customer or user but has the potential to do so

Non-conformity: non-fulfillment of a requirement

Complaint: is something referred to as a grievance raised by the customer. . It can be both incidents
or not. However, it is usually an escalation of some grievance.

Main changes:

Not includes preventative measures

all process are independients continuitly management, avaibility management, incident management
and service request.

Does not to reference to PDCA cycle

Includes “ASSET” as an entity that has value for the organization

CMDB (Configuration management database) is not included in ISO 20000:2018, even though it was an
essential part of ISO 20000:2011.

includes the section "8.2.3 - Control of parties involved in the service lifecycle." compared to ISO
20000:2011's "4.2 - Governance of processes operated by other parties."

ISO 20000:2018 redefines the section regarding "Design and development of new or changed services"
and introduces a point for change management, delivery management, and transition and design services
There are now seven operational processes:

complete lifecycle service development

deployment

delivery

support

4. Context of the organization: internal and external factors and stakeholders and their potential impact
on the organization and capability to achieve business objectives. Mentions the interested parties'
expectations, such as customers, workers, and suppliers, relevant to the SMS. Including PESTLE
(Political, Economic, Social, Technological, Legal, Environmental) analysis and SWOT (Strengths,
Weaknesses, Opportunities, and Threats)

4.3 Scope: specifies the services which are important to the organización for delivery and supporting

4.4 Stablish, implement, maintain and continually improve the service management system (processes,
processes sequence and interactions, the apprpieded method, resources, opportunities.

5. Leadership: delivery services require necessary policies, processes, people, tools, and technologies,
delivery services require necessary policies, processes, people, tools, and technologies and complete
commitment from the organization's leadership.

• The organization must have an appropriate level of control over other parties committed to the service
lifecycle
The organizations must improve the effectiveness of the SMS and services by guiding and supporting
personnel

5.2 Policy: It must be maintained as documented information, appropiated to the objectives of the
organization, available to appropiate interested parties

5.3 (Clause 5) Replaces the 4.1.4 anto ISO 20000:2021 Managenet regresentative. newer clause does not
require a specific staff member. Ensure that reporting regarding the SMS performance is carried out by
assigning responsibilities and authorities

6. Planning: Management the opportunities ans support risk managment during the planning phase, and
how to achieve te SM objectives. includes supporting risk management and capitalizing on
opportunities,

• Determine how risks and opportunities impact customers

• Determine the risk acceptance criteria of the organization

• Determine how the organization approaches risk management.

The requirements of this sub-clause classify as documented information.

6.2.1. The objectives

6.2.2 Determine the organization’s future activities, resources avaibility, ITSM responsabilities

6.3 Plan the ervice management:

A list of all services covered by the SMS

The identified limitations of the SMS

Obligations set by the SMS

All authorities and responsibilities for the SMS

The resources provided for the SMS

How other parties approach the SMS

The technology implemented in the SMS

The process established to measure, audit, report, and improve the performance of the SMS

7. Suport of the SMS: Stresses the importance about the resource avaibility, knowledge management,
internal/external communicatios, documented information and employee competence.

7.1 Human, technical, information an financial resources needed

7.2 Competence: by the staf and the performance

7.3 Awareness: taff is aware of the: SMS policy, the objectives, services associated with their job
position and the consequences of not complying with SMS policies.

7.4 Comunication to internal and external channels

7.5 Documented information, define the appropited, ensure the identification, follow a format, review it,
protct the integrity, control the tistribution, storage, including the scope of th SMS, policy, objetives,
service management plan, change management policy, information security policy, and service
continuity plan(s), the processes and the SLA (Service Level agreements)

7.6 Establish the knowledge regarding the Service Management System

8. Operation of the service managment system: Implement activities and processes , covering all the
lifecycle (acquisition, planning and control, service desing, service assurance an retirement, among other
stuff.

Show the processes are perfomed efficiently. The processes must have control data,

Service delivery

8.2.2 The organization must identify and manage the internal and external dependencies of its
services, must propose changes in policy, objectives, and service requirements to align them

8.2.3 Control of the parties involved in the service lifecycle (for services provided by other parties): The
organization must establish control measures for assessing and evaluating the effectiveness,
performance, the processes supplied of other parties

8.2.4 to establish and manage the service management catalog(s)

8.2.5 The requirement specified in this clause is that the organization must ensure the proper
management of assets.

The term “asset” is defined in Clause 3.2.1 of the standard as “an item, thing or entity that has potential
or actual value to an organization.”

8.2.6 Establish and document a unique identification for configuration information, type of configuration
item, description of the configuration item for configuration information, ensure that it traces and audits
the configuration, ensure that it verifies the accuracy of the configuration management at planned
intervals,

8.3.1 The organization cannot use other parties to operate or provide all services, processes, and service
components within the scope, just can povide part of them.

8.3.2 Must identify and document customers, service users, and other interested parties, must review
performance at planned intervals,

8.3.3 Service level Management: The organization must establish the Service-Level Agreement(s)
(SLA) for service level targets, workload limits, and exceptions.

must monitor, review, and report performance against service level targets at planned intervals

The organization must monitor, review, and report permanent and temporary changes to the amount of
work at planned intervals.

Between the organization and the interested party, an agreement regarding the services to be delivered
must be created
8.3.4 Supplier management: The organization must designate one or more individuals to manage
relationships, The organization must ensure that the interface between the Service Management System
and supplier(s) is clearly defined and managed, Determine and establish agreements

8.4.1 Monitor & Report actual costs at planned intervals,

8.4.2 must determine, monitor and review current demand and predict future demand at planned
intervals

8.4.3 requires the organization to identify, document, and manage a Capacity Plan, Probable impacts,
Capacity thresholds and timescales,

8.5.1Change management. must establish and document a policy to specify service components, must
apply service design and transition processes, Take risks and their impact into consideration, The
organization must consider authorities and responsibilities when planning for new or changed services,
The organization must consider SLAs when designing and documenting new or changed services, The
organization must consider education, training, and experience when designing and documenting new or
changed services, The organization must test and manage the deployment of newly build services

8.5.3 Release & Deployment mamagement: must specify the type of reléase, needs to plan the
deployment of new or changed services and service parts into real-world environments,

8.6 Resolution & fulfillment: organization must record, prioritize, escale, resolve and classify the
incidents

must record and classify service requests, build service request

must determine record and classify, prioritize, escalate problems by analyzing data and trends,

8.7 Service Assurance: The organization must identify requirements and targets, document, monitor, and
maintain its requirements

8.7.3.2 Requires the organization to assess and document its risks to information security.

8.7.3.3 a) The organization must record and classify incidents

b) The organization must prioritize incidents

c) The organization must escalate incidents

d) The organization must resolve incidents

e) The organization must provide closure to incidents.

9. Performance evaluation: Monitoring, measure, analyse and evaluate the system to knwo the
performance of the SMS and provides details for auditing under a strategy and scheduled plan;
eventhough, review the data obteined from audits and take decisions.

9.2 Internal Audit: establishment and implementation of an auditing strategy at regular, planned intervals

9.3 Management Review: the organization holds management reviews at regular, planned intervals

9.4 Service Reporting: the organization to produce necessary reports regarding its Service Management
System

10. Improvement: Management of nonconformity, corrective action, and continual improvement. For
the continual improvement philosophy.
that compliance with ISO 20000-1 is a less daunting task.

ISO/IEC 20000 is an international standard published by ISO (the International Organization for
Standardization) and ICE (the International Electoral Commission) for IT Service Management (ITSM).
It helps in improving the delivery of IT services.

The ISO/IEC 20000 standard series divides into 10 parts. ISO/IEC 20000-1 and ISO/IEC 20000-2 are
the two most important parts. ISO/IEC 20000-4 and ISO/IEC 20000-9, since the 2018 update, are no
longer included as parts of the standard and are declared obsolete.

Contents of the Series

1. ISO/IEC 20000-1:2018 – Requirements of Service Management

2. ISO/IEC 20000-2:2019 – Guidance on Application of Service Management Systems

3. ISO/IEC 20000-3:2019 – Guidance on Scope Definition & Applicability of ISO/IEC 20000-1

4. ISO/IEC TR 20000-5:2013 – Exemplar Implementation Plan for ISO/IEC 20000-1

5. ISO/IEC 20000-6:2017 – Requirements for Bodies Providing Audit & Certification of Service
Management Systems

6. ISO/IEC TR 20000-7:2019 – Guidance on the Integration & Correlation of ISO/IEC 20000-1:2018 to

ISO 9001:2015 & ISO/IEC 27001:2013

7. ISO/IEC 20000-10:2018 – Concepts & Vocabulary

8. ISO/IEC TR 20000-11:2015 – Guidance on the Relationship Between ISO/IEC 20000-1:2011 &

Service Management Frameworks: ITIL

9. ISO/IEC TR 20000-12:2016 – Guidance on the Relationship Between ISO/IEC 20000-1:2011 &

Service Management Frameworks: CMMI-SVC.

- Service Provider: Selects, creates, deploys, operates, and maintains the service

- Service Customer: A consumer of services provided by the service provider.

ISO/IEC 20000:2018: Main Changes in the Latest Version

The most relevant changes made in ISO/IEC 20000-1:2018 from ISO/IEC 20000:2011:

- The CMDB is not included in ISO 20000:2018, even though it was a significant part of ISO
20000:2011

- ISO 20000:2018 includes a service catalog as an independent point, i.e., “8.2 – Service Portfolio”,
which also includes other points related to the concept.

ISO 20000-1 & ITIL

align their IT activities with business needs cost-effectively. However, unlike many other standards, ITIL
does not provide a list of "must-have" standards within it. Therefore, there is no way to guarantee that
the framework's implementation is done in the best way possible.

ITIL is still widely adopted and a great framework as it reduces operational costs, improves user
satisfaction, increases the quality of services, and improves conformity level.
ITIL is a best practice framework that focuses on providing practical processes to align IT services with
business needs.; ISO 20000 is a rigid standard that provides a code of practice

ITIL contents include five lifecycle stages, almost thirty-seven processes, and a large number of roles;
ISO 20000 does not specify explicit lifecycles for any of its thirteen processes
Survey of Senior Managers
Information Technology and data management are the top priorities for CEOs in the survey.
33% believe that using new technologies and new IT applications are the critical factors for future
success.
Managers are faced with many decisions with relation to Information Technology. Here are some of the
challenges a manager might face:

Challenges:

use of technology to design and structure the organization

The creation of alliances and partnerships that include electronic linkages.

The selection of systems to support different kinds of workers. Stockbrokers, traders, and others use
sophisticated computer-based workstations in performing their jobs.

Routine transactions processing systems. Routine systems must function for the firm to continue in
business.

Choosing a vendor, designing the system, and implementing it are major challenges for management.

Determining a World Wide Web strategy.

These applications handle the basic business transactions, for example, the order cycle from receiving a
purchase order through shipping goods, invoicing, and receipt of payment

Reporting and control. Many reports are filed with the government and can be accessed through the
Internet and the World Wide Web, including many 10K filings and other SEC-required corporate reports.

Automated production processes. One of the keys to competitive manufacturing is increasing

efficiency and quality through automation.

Embedded products. Increasingly, products contain embedded intelligence. A modern automobile may
contain six or more computers on chips,

Positive and Negative Outcomes of Management Technology Decisions.

Create new procedures, workflows, workgroups, the knowledge base, products and services, and
communications.

Facilitate new reporting relationships, increased spans of control

Create new customer-supplier relations, partnerships, and alliances.

made possible by using e-mail and groupware to increase the span of control and reduce managerial
hierarchy.

what kind of internal and external factors influence their interpretation?

system serves an individual with a certain cognitive style faced with a particular decision problem in
some organizational setting
Clearly, the nature of the problem influences the way we interpret information. The attitudes of a new
employee will differ substantially from those of the chairman of the board. People who have different
ideas interpret information differently.

Analytic v Heuristic Decision Makers Loosely organized information might be a report composed of
different forms of information from multiple sources. different types of decisions require different kinds
of information and providing inappropriate information is one common failing of information systems.

The data-for example, production control data, inventory status, or accounts receivable balances-must be
detailed. Information for strategic decisions, on the other hand, is more predictive and long range in
nature. Strategic planning may uncover many surprises.

Highly developed countries are ina post-industrial age mployees in this sector are often called
"knowledge workers." This text is an example of an attempt to present explicit knowledge to you,
knowledge about information technology and how to manage it in an organization.

role of information systems is to support decision making.

Types of decitions

1. Strategic planning: the decision maker develops objectives and allocates resources to obtain
them. Decisions in this category are characterized by long time periods and usually involve a
substantial investment and effort.

2. Managerial Control: Decisions involving managerial control concern the use of resources in the
organization

3. Operational Control: supervisors would be more concerned with operational decisions

Stages

1. Problem finding or identification. Intelligence which determines that a problem exists.

Become aware of a problem and gather data about it.
2. Design stage the problem solver tries to develop a set of alternative solutions.
3. Choice stage the decision maker selects one of the solutions
 4. Implementation stage we ensure that the solution is carried out.

The charismatic organization is dominated by a strong leader. This individual sets the goals of the firm
and tends to make all decisions.

The Bureaucracy

The adaptive organization tries to respond quickly to its environment. The organization stresses rapid
response times and does not have a large number of layers of management.