Professional Documents
Culture Documents
ISO 20000 For IT: The Author
ISO 20000 For IT: The Author
ISO 20000 For IT: The Author
governance and control of the IT service involved, time and place of produc-
The Author provision, is therefore aimed at imple- tion. In this way, planning, governance
menting major principles and methods and control of IT services are strongly
Prof. Dr. Georg Disterer from industrial production, a fact known supported. This also allows for a sys-
Faculty of Economics and under the slogan of “IT industrialization” tematic handling of technical changes
Information Systems (Hochstein and Brenner 2006, p. 4; Walter as they appear frequently within IT.
University of Applied Sciences et al. 2007, p. 6). Standardized procedures can be pre-
and Arts of Hannover sented in a transparent way and can be
Ricklinger Stadtweg 120 easily communicated. Thus they are
30459 Hannover 2 Objectives and instruments understandable, predictable and reli-
Germany of a certification according able. Standardization is also a prereq-
georg.disterer@fh-hannover.de to ISO 20000 uisite for internal or external compar-
isons of quality and costs of different
Received: 2009-03-20 IT providers as well as for verification
Accepted: 2009-07-27 2.1 Trade-off between quality and cost and assessment of procedures by inde-
Accepted after two revisions pendent third parties e. g. in conjunc-
by Prof. Dr. Sinz. In many companies, success cannot be tion with a certification.
achieved without high-quality IT services j Customer focus: Instead of setting a
This article is also available in Ger- to support business processes. With higher focus (too) strongly on technical con-
man in print and via http://www. competition and cost pressure the con- ditions, IT services should be provided
wirtschaftsinformatik.de: Disterer G flict between the objectives “IT quality” in a customer-oriented way. Therefore
(2009) Zertifizierung der IT nach ISO and “IT costs” necessarily gains greater the customers of IT services have to be
2000. WIRTSCHAFTSINFORMATIK. doi: attention. Correspondingly, well-known identified and their needs for infor-
10.1007/11576-009-0198-2. principles and methods from industrial mation provision and processing have
production are used to reach quality and to be analyzed. IT providers and their
cost objectives. Standardization particu- customers have to clearly agree upon
larly constitutes an essential driver of IT the service offer and have to specify
1 ISO 20000 as an instrument industrialization. In the field of hardware its extent and quality in service level
for the industrialization of IT as well as system and application software agreements (SLAs). This specification
comprehensive standardization has improves transparency of the service
Since the end of 2005 the international already been carried out during the last offer as well as performance manage-
standard ISO 20000 has been deployed decades. Now, significant quality and cost ment and monitoring and also sup-
for IT service management (ITSM) as a improvements are expected from higher ports a performance-oriented way of
standard for the provision of IT services. standardization of IT service design and charging.
Meanwhile, a growing number of IT operation. j rocess orientation: A process-ori-
P
service providers undergoes ISO 20000 ented adjustment of IT service cre-
certification in order to provide evidence 2.2 Main instruments according to ISO ation is meant to avoid disruptions
for their conformity with the standard 20000 and reduce frictions. In doing so, IT
and to keep it as a quality signal for their transformation processes follow the
customers. The ISO 20000 standard follows the prevailing paradigm of process orien-
The reason can be seen in the increas- demand to transfer standardization as a tation in order to secure continuous
ing importance of using information tech- principle of industrial production to the processes despite vertical division of
nology (IT) to support business processes provision of IT services. Besides, quality labor which is anchored in the organi-
and transactions in many companies. IT management approaches similar to the zational structure.
departments no longer take a monopoly ISO 9000 standard are pursued. By means j Continuous improvement: Following
position for the provision of IT services of a targeted and systematic use of a set of the principles of quality management
per se, but the relations between func- instruments, the needs, requirements and the provisioning of IT services is sub-
tional and IT departments are considered expectations of customers with regard to jected to continuous verification and
as customer/supplier relationships (also) quality and cost of IT services should be assessment in order to persistently
subject to market and competition mech- met. The main instruments are: and sustainably reduce disruptions and
anisms. As a result, both IT departments j Standardization: The unification of all frictions as well as to identify measures
and IT providers increasingly have to act practices ensures that operations dur- for saving resources.
in a cost- and performance-oriented way. ing IT service provisioning are car- jAlignment to well-known approaches:
IT service management, i. e. planning, ried out independently of the people The standardization of processes can
ISO
ISO 20000
International Organization for
Standardization ISO
published: 2005-12-15
auditing and certification of companies
training and qualifications scheme
BS so far: 421 companies worldwide,
including 27 companies certified in
Germany (2009-07-01)
BS 15000
British Standard Institute BSI
published: 2000-11
auditing and certification of companies
training and qualification scheme
withdrawn by BSI in 2005-12 (due to
succession by ISO 20000)
transfer to ISO 20000 possible until
2007-07
OGC
be supported by referring to existing certification serves as an impulse, motiva- 3 Origin and evolution of
frameworks, recommendations, etc. tion and reinforcement by highlighting the the ISO 20000 standard
Thus, companies can benefit from achievement of the certificate at the end
developments in science and practice of the transformation process. Pursuing The ISO 20000 standard is based on the
by using “common practices” or “best certification also intensifies the anchoring “Information Technology Infrastructure
practices”. Despite significant custom- of continuous improvement processes for Library” (ITIL) reference model and the
izations, which are usually necessary IT services within the organization. British standard BS 15000 (Fig. 1).
to consider company specifics, the use From an external perspective, the certif- Since the end of the 1980s, ITIL has
of existing frameworks also supports icate serves as seal by an independent body been developed by the British authority
cost targets as companies do not have providing customers with evidence that all “Central Computer and Telecommunica-
to “reinvent the wheel”. the conditions and requirements of a rec- tions Agency (CCTA)”, today called Office
jC
ertification of organization and ognized standard are met. This evidence of Government Commerce (OGC), and is
people: A certificate issued by an inde- can be used as a quality signal to increase currently available in version 3 (since May
pendent body serves as a quality seal for an IT service provider’s competitiveness 2007). The aim is to provide a reference or
fulfilling the conditions and require- if customers tend to choose IT providers framework according to which IT services
ments of an approved standard. Regu- based on their compliance with the stan- are to be provided in a process-oriented
lar recertification shows that the com- dard, as is often the case in public tenders and systematic way.
pliance with the standard is continu- and increasingly the case in private prac- ITIL contains a collection of “common
ously met over a longer period. tices. The certificate can be used for mar- practices”, i. e. a collection of procedures
keting the IT services since a proof of con- and practices that have proved success-
2.3 Certification impacts formity with approved standards signals ful in practice. The ITIL documentation
trustworthiness and reliability. contains detailed descriptions of essential
The certification process has different The personnel training and qualifi- IT service provisioning processes as well
internal and external effects. For the senior cation scheme contributes to systematic as checklists for the tasks and responsi-
management certification can serve as a training and to the verification of suitable bilities. ITIL is currently considered as
relatively clear-cut objective of a complex qualifications of employees for taking on a de facto standard for the alignment of
transformation process. The success can important ITSM tasks. all ITSM functions. However, there is no
be directly and precisely observed at the international legitimacy and official rec-
end of the process by means of the attained ognition.
certificate. As a result the transformation In 2000, the British Standard BS 15000
process will more likely obtain sufficient was introduced as a quality management
attention, priority and resources. For the system for the provisioning of IT services
professionals involved, the objective of by the national standardization authority
Management Processes
British Standards Institution (BSI). Many under the heading “Business Information be continuously monitored (check) and, if
authors of ITIL participated in the devel- Publications” (BIP), a general introduc- necessary, measures for improvement (act)
opment of the standard so that there are tion to service management (Dugmore have to be identified, prioritized, imple-
strong overlaps of content between ITIL and Shirley 2006) and a checklist for veri- mented and monitored.
and BS 15000 and only minor differences. fication of conformity with the standard For service management, the standard
Based on BS 15000, companies could (MacFarlane and Dugmore 2006). requires 14 processes in five process areas
receive a certification for complying with For service management, ISO 20000 (Fig. 2), which are strongly based on the
the standard’s specifications and guide- prescribes a number of superordinate ITIL processes (V2). Additionally, the
lines. The British standard also gained management processes as well as core ser- documentation on ITIL (V3) may provide
great international response. Thus, the vice management processes in five process further information and assistance.
BSI initiated an authentication process areas (Fig. 2).
of BSI 15000 as international standard in The superordinate management pro-
2004. Ultimately, the ISO issued the ISO cesses are supposed to secure a strategic 5 Certification process
20000 standard on 2005-12-15 and the alignment of IT services, in particular according to ISO 20000
BSI consequently withdrew the BSI 15000 an alignment to the objectives of (inter-
standard. ISO 20000 provides a globally nal and external) customers as well as eco- Companies are awarded certificates
acknowledged standard for ITSM allow- nomic and quality objectives. For this aim, according to ISO 20000 upon request and
ing for certification of the companies’ a service catalogue as a key instrument has after examination by registered certifica-
compliance. to be created and maintained describing tion bodies (RCB). Fig. 3 illustrates the
all services in detail (including inputs/out- main stages and tasks of such a certifica-
puts, quality characteristics, performance tion project.
4 Contents of the ISO parameters, billing procedures,...). The total duration of a certification pro-
20000 standard A detailed documentation of responsi- cess depends on the company’s size and
bilities as well as tasks and procedures has complexity and the extent to which IT ser-
The standard is codified in the two to be set up and maintained in order to vice provisioning is already carried out in
documents ISO 20000–1 (2005) and provide a transparent service provisioning a process-oriented way. If an alignment
ISO 20000–2 (2005). The first document process and to delineate areas of responsi- with ITIL already exists, an audit can be
contains the formal specification of the bility. In the sense of a systematic quality prepared within 6 to 9 months so that
standard and describes the requirements management a continuous improvement of the total time until the final certification
necessary to comply with in order to attain processes must be established. In doing so, may be around 9 to 12 months. If a pro-
the certificate. Therefore, this part of the the standard directly refers (ISO 20000–1 cess orientation according to ITIL (Dis-
standard is referred to as “mandatory 2005, p. 4) to Deming’s “Plan-Do-Check- terer 2008, p. 1320) or similar references
criteria” (Buchsein et al. 2007, p. 52; Greb Act” Cycle (PDCA-Cycle) which is well- have to be introduced during the certifi-
et al. 2006, p. 10) or “minimum require- known from classical quality manage- cation project the period may amount to
ments” (Buchsein et al. 2007, p. 51; KBSt ment and which highlights the necessity up to 3 years.
2006, p. 8). The second document supple- of an integration of planning and ongoing During the initiation phase, basically
ments and clarifies the requirements and verification of the plans’ implementation. the objectives of the certification have to
provides recommendations for imple- Then, with given values for metrics and be clarified. What kinds of benefits are
mentation. BSI published supplementing performance parameters (plan), the ongo- expected and which resources (time, per-
information to these official documents ing execution (do) of the processes has to sonnel, finance) are needed – according to
implementation examination
implementation service for
management standard operations
initiation preparation management certificate
processes (after certification)
processes (audit)
project management
clarification of objectives and detailing the introducing service initiating sub- pre-audit (document re-certification every 3 years
benefits of certification service catalogue improvement projects for each verification) standard operations with
determination of the scope of determining processes service process modifications based continuous improvement
certification maturity level introducing process consolidation of on pre-audit advice acting on advice and
clarification of resource defining and improvement the results of main audit: docu- shortcomings from former
demand establishing processes subprojects ment verifivcation, examinations
documentation implementation completion of interviews with
project planning
process of management documentation process managers,
external experts necessary? reporting and analysis
detailed project evaluating results
obtaining support from senior planning goverance structure with the senior modifications based
management establishing contract management on audit advice
resource planning
management raise internal and
(staff, external
persons ...)
external effects of
the certificate Fig. 3 Certification pro-
training of
employees ject according to ISO
information of
stakeholders 20000
500
6421
6308
300 21
242
Asien
200 180
6151
7
676 690
100 90
669 6
5 6 145 Europa
35 46 107
31
69 35 38 54
33
0 Fig. 4 Number of certi-
2004 2005 2006 2007 2008 01.01.2009 01.07.2009
fied companies (Source:
BS 15000 ISO 20000 ITSMF 2009)
initial estimates? During the preparatory An important part of the certification personnel resources usually do not allow
phase it has to be determined which of the examination refers to the documentation all processes to be introduced simultane-
necessary superior management and ser- of processes. Therefore, the documenta- ously.
vice management processes are already tion has to be defined and agreed on at an In the first part, the examination for
in place and to what degree they comply early stage, using guidelines for document certification (audit) consists of a visual
with the standard. This requires the devel- storage, document sharing, naming con- inspection of all documents (reports, pro-
opment or completion of the service cat- ventions, version control, and change his- cess descriptions, figures...), which are to
alogue as well as the identification of all tory. be sent to the certification authority. This
major components of the services and the During the implementation of manage- investigation serves to prepare the certi-
disclosure of relationships and dependen- ment processes an overall governance and fication body for the main examination.
cies. The value chain of suppliers via the control system has to be determined and Later on, the certification authority’s rep-
internal service provision to the custom- introduced. This system must be aligned resentatives conduct the second part of the
ers has to be incorporated. It is necessary to the requirements of the continuous examination as an on-site inspection last-
to ascertain which level of “maturity” for improvement in the “Plan-Do-Check- ing several days. This includes interviews
IT service provision already exists and to Act” cycle. In particular, it is important to with all responsible persons in which they
what extent this maturity level is sufficient establish how service improvements and describe the processes, explain details and
for certification. Checklists (e. g. ITSMF processes improvements are to be con- specifics, define process documentations,
n. d.) are used for recognizing necessary ducted. To implement the service manage- justify ratios and performance parame-
changes in order to meet the minimum ment processes, the definition of subproj- ters and their development as well as com-
requirements of the standard. ects will be necessary since the available ment on identified weaknesses and initi-