ISO/IEC 20000

YEDAISO/IEC 20000' is the first international standard for IT Service Management. It was developed in 2005, by the BSI Group. It is based on and intended to supersede the earlier, BS 15000.

Formally: ISO 20000-1 ('part 1') "promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements". It comprises ten sections:

ISO 20000-2 ('part 2') is a 'code of practice', and describes the best practices for service management within the scope of ISO 20000-1. It comprises the same sections as 'part 1' but excludes the 'Requirements for a Management system' as no requirements are imposed by 'part 2'.

ISO 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA's COBIT framework. It comprises two parts: a specification for IT Service Management and a code of practice for service management. The differentiation between ISO 20000 and BS 15000 has been addressed by Jenny Dugmore.

The standard was first published in December 2005.

Back to top

Information Technology Infrastructure Library

The Information Technology Infrastructure Library (ITIL) is a set of concepts and practices for managing Information Technology (IT) services (ITSM), IT development and IT operations.

ITIL gives detailed descriptions of a number of important IT practices and provides comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL is published in a series of books, each of which covers an IT management topic. The names ITIL and IT Infrastructure Library are registered trademarks of the United Kingdom's Office of Government Commerce (OGC).

History

Responding to growing dependence on IT, the UK Government's CCTA in the 1980s developed a set of recommendations. It recognised that without standard practices, government agencies and private sector contracts were independently creating their own IT management practices.

The IT Infrastructure Library originated as a collection of books, each covering a specific practice within IT Service Management. ITIL was built around a process-model based view of controlling and managing operations often credited to W. Edwards Deming and his PDCA cycle.

After the initial publication in 1989, the number of books quickly grew within ITIL v1 to over 30 volumes.

In 2000/2001, to make ITIL more accessible (and affordable), ITIL v2 consolidated the publications into 8 logical "sets" that grouped related process-guidelines to match different aspects of IT management, applications, and services. However, the main focus was known as the Service Management sets (Service Support and Service Delivery) which were by far the most widely used, circulated, and understood of ITIL v2 publications.

Five volumes comprise the ITIL v3, published in May 2007:

Back to top

Overview of the ITIL v2 library

The eight ITIL version 2 books and their disciplines are:

The IT Service Management sets

Other operational guidance

To assist with the implementation of ITIL practices a further book was published providing guidance on implementation (mainly of Service Management):

And this has more recently been supplemented with guidelines for smaller IT units, not included in the original eight publications:

Service Support

The Service Support ITIL discipline focuses on the User of the ICT services and is primarily concerned with ensuring that they have access to the appropriate services to support the business functions.

To a business, customers and users are the entry point to the process model. They get involved in service support by:

The service desk functions as the single contact-point for end-users' incidents. Its first function is always to "create" an incident. If there is a direct solution, it attempts to resolve the incident at the first level. If the service desk cannot solve the incident then it is passed to a 2nd/3rd level group within the incident management system. Incidents can initiate a chain of processes: Incident Management, Problem Management, Change Management, Release Management and Configuration Management. This chain of processes is tracked using the Configuration Management Database (CMDB), which records each process, and creates output documents for traceability (Quality Management).

Service Desk / Service Request Management

Tasks include handling incidents and requests, and providing an interface for other ITSM processes. Features include:

Primary functions of the Service Desk include:

The Service Desk function can have various names, such as:

The three types of structure for consideration:

Incident Management

Incident Management aims to restore normal service operation as quickly as possible and minimize the adverse effect on business operations, thus ensuring that the best possible levels of service-quality and -availability are maintained. 'Normal service operation' is defined here as service operation within Service Level Agreement (SLA) limits.

Problem Management

Problem Management aims to resolve the root causes of incidents and thus to minimize the adverse impact of incidents and problems on business that are caused by errors within the IT infrastructure, and to prevent recurrence of incidents related to these errors. A `problem' is an unknown underlying cause of one or more incidents, and a `known error' is a problem that is successfully diagnosed and for which either a work-around or a permanent resolution has been identified. The CCTA defines problems and known errors as follows:

A problem is a condition often identified as a result of multiple incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.

Problem management differs from incident management. The principal purpose of problem management is to find and resolve the root cause of a problem and prevention of incidents; the purpose of incident management is to return the service to normal level as soon as possible, with smallest possible business impact.

The problem-management process is intended to reduce the number and severity of incidents and problems on the business, and report it in documentation to be available for the first-line and second line of the help desk. The proactive process identifies and resolves problems before incidents occur. Such processes include:

The Error Control Process iteratively diagnoses known errors until they are eliminated by the successful implementation of a change under the control of the Change Management process.

The Problem Control Process aims to handle problems in an efficient way. Problem control identifies the root cause of incidents and reports it to the service desk. Other activities are:

The standard technique for identifying the root cause of a problem is to use an Ishikawa diagram, also referred to as a cause-and-effect diagram, tree diagram, or fishbone diagram. A brainstorming session—in which group members offer product-improvement ideas typically results in an Ishikawa diagram. For problem-solving, the goal is to find causes and effects of the problem.

A meta-model can define Ishikawa diagrams.

First there is the main subject, which is the backbone of the diagram that we are trying to solve or improve. The main subject is derived from a cause.

The relationship between a cause and an effect is a double relation: an effect is a result of a cause, and the cause is the root of an effect. But there is just one effect for several causes and one cause for several effects.

Change Management

Change Management aims to ensure that standardized methods and procedures are used for efficient handling of all changes,

Main article: Change Management (ITSM)

A change is “an event that results in a new status of one or more configuration items (CI's)” approved by management, cost effective, enhances business process changes (fixes) - with a minimum risk to IT infrastructure.

The main aims of Change Management include:

Change Management Terminology

Release Management

Release Management is used by the software migration team for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure. Proper software and hardware control ensures the availability of licensed, tested, and version-certified software and hardware, which functions as intended when introduced into existing infrastructure. Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management. This guarantees that all software meets the demands of the business processes.

The goals of release management include:

Release management focuses on the protection of the live environment and its services through the use of formal procedures and checks.

A Release consists of the new or changed software and/or hardware required to implement approved changes.

Release categories include:

Releases can be divided based on the release unit into:

Configuration Management

Configuration Management is a process that tracks all individual Configuration Items (CI) in a system.

Service Delivery

The Service Delivery discipline concentrates on the proactive services the ICT must deliver to provide adequate support to business users. It focuses on the business as the customer of the ICT services (compare with: Service Support). The discipline consists of the following processes, explained in subsections below:

Service Level Management

Service Level Management provides for continual identification, monitoring and review of the levels of IT services specified in the service level agreements (SLAs). Service Level Management ensures that arrangements are in place with internal IT Support-Providers and external suppliers in the form of Operational Level Agreements (OLAs) and Underpinning Contracts (UCs). The process involves assessing the impact of change upon service quality and SLAs. The service level management process is in close relation with the operational processes to control their activities. The central role of Service Level Management makes it the natural place for metrics to be established and monitored against a benchmark.

Service Level Management is the primary interface with the customer (as opposed to the user serviced by the Service Desk). Service Level Management is responsible for:

The Service Level Manager relies on the other areas of the Service Delivery process to provide the necessary support which ensures the agreed services are provided in a cost-effective, secure and efficient manner.

Capacity Management

Capacity Management supports the optimum and cost-effective provision of IT services by helping organizations match their IT resources to business demands. The high-level activities include:

IT Service Continuity Management

IT Service Continuity management covers the processes by which plans are put in place and managed to ensure that IT Services can recover and continue should a serious incident occur. It is not just about reactive measures, but also about proactive measures - reducing the risk of a disaster in the first instance.

Continuity management is regarded by the application owners as the recovery of the IT infrastructure used to deliver IT Services, but as of 2009 many businesses practice the much further-reaching process of Business Continuity Planning (BCP), to ensure that the whole end-to-end business process can continue should a serious incident occur (at primary support level).

Continuity management involves the following basic steps:

Availability Management

Availability Management targets allowing organizations to sustain the IT service-availability to support the business at a justifiable cost. The high-level activities are Realize Availability Requirements, Compile Availability Plan, Monitor Availability, and Monitor Maintenance Obligations.

Availability Management addresses the ability of an IT component to perform at an agreed level over a period of time.

Financial Management for IT Services

IT Financial Management comprises the discipline of ensuring that the IT infrastructure is obtained at the most effective price (which does not necessarily mean cheapest) and calculating the cost of providing IT services so that an organisation can understand the costs of its IT services. These costs may then be recovered from the customer of the service. this is the 2nd component of service delivery process.

Planning to implement service management

The ITIL discipline - Planning To Implement Service Management attempts to provide practitioners with a framework for the alignment of business needs and IT provision requirements. The processes and approaches incorporated within the guidelines suggest the development of a Continuous Service Improvement Programme (CSIP) as the basis for implementing other ITIL disciplines as projects within a controlled programme of work. Planning To Implement Service Management focuses mainly on the Service Management processes, but also applies generically to other ITIL disciplines. Components include:

Security Management

The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL Security Management is based on the code of practice for information security management now known as ISO/IEC 27002.

A basic goal of Security Management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.

Mounting pressure for many organizations to structure their Information Security Management Systems in accordance with ISO/IEC 27001 requires revision of the ITIL v2 Security Management volume, and indeed a v3 release is in the works.

ICT Infrastructure Management

ICT Infrastructure Management processes recommend best practice for requirements analysis, planning, design, deployment and ongoing operations management and technical support of an ICT Infrastructure. ("ICT" is an acronym for "Information and Communication Technology".)

The Infrastructure Management processes describe those processes within ITIL that directly relate to the ICT equipment and software that is involved in providing ICT services to customers.

These disciplines are less well understood than those of Service Management and therefore often some of their content is believed to be covered 'by implication' in Service Management disciplines.

ICT Design and Planning

ICT Design and Planning provides a framework and approach for the Strategic and Technical Design and Planning of ICT infrastructures. It includes the necessary combination of business (and overall IS) strategy, with technical design and architecture. ICT Design and Planning drives both the Procurement of new ICT solutions through the production of Statements of Requirement ("SOR") and Invitations to Tender ("ITT") and is responsible for the initiation and management of ICT Programmes for strategic business change. Key Outputs from Design and Planning are:

ICT Deployment Management

ICT Deployment provides a framework for the successful management of design, build, test and roll-out (deploy) projects within an overall ICT programme. It includes many project management disciplines in common with PRINCE2, but has a broader focus to include the necessary integration of Release Management and both functional and non functional testing.

ICT Operations Management

ICT Operations Management provides the day-to-day technical supervision of the ICT infrastructure. Often confused with the role of Incident Management from Service Support, Operations has a more technical bias and is concerned not solely with Incidents reported by users, but with Events generated by or recorded by the Infrastructure. ICT Operations may often work closely alongside Incident Management and the Service Desk, which are not-necessarily technical, to provide an 'Operations Bridge'. Operations, however should primarily work from documented processes and procedures and should be concerned with a number of specific sub-processes, such as: Output Management, Job Scheduling, Backup and Restore, Network Monitoring/Management, System Monitoring/Management, Database Monitoring/Management Storage Monitoring/Management. Operations are responsible for:

ICT Technical Support

ICT Technical Support is the specialist technical function for infrastructure within ICT. Primarily as a support to other processes, both in Infrastructure Management and Service Management, Technical Support provides a number of specialist functions: Research and Evaluation, Market Intelligence (particularly for Design and Planning and Capacity Management), Proof of Concept and Pilot engineering, specialist technical expertise (particularly to Operations and Problem Management), creation of documentation (perhaps for the Operational Documentation Library or Known Error Database). There are different levels of support under the ITIL structure, these being primary support level, secondary support level and tertiary support level, higher-level administrators being responsible for support at primary level.

The Business Perspective

ITIL gives the name "The Business Perspective" to the collection of best practices that is suggested to address some of the issues often encountered in understanding and improving IT service provision, as a part of the entire business requirement for high IS quality management. These issues are:

Application Management

ITIL Application Management set encompasses a set of best practices proposed to improve the overall quality of IT software development and support through the life-cycle of software development projects, with particular attention to gathering and defining requirements that meet business objectives.

Software Asset Management

Software Asset Management (SAM) is the practice of integrating people, processes and technology to allow software licenses and usage to be systematically tracked, evaluated and managed. The goal of SAM is to reduce IT expenditures, human resource overhead and risks inherent in owning and managing software assets.

SAM practices include:

SAM represents the software component of IT asset management. This includes hardware asset management because effective hardware inventory controls are critical to efforts to control software. This means overseeing software and hardware that comprise an organization’s computers and network.

Small-Scale Implementation

ITIL Small-Scale Implementation provides an approach to ITIL framework implementation for smaller IT units or departments. It is primarily an auxiliary work that covers many of the same best practice guidelines as Planning To Implement Service Management, Service Support, and Service Delivery but provides additional guidance on the combination of roles and responsibilities, and avoiding conflict between ITIL priorities.

Back to top

Criticisms of ITIL

ITIL has been criticized on several fronts, including:

As Jan van Bon (author and editor of many IT Service Management publications) notes,

There is confusion about ITIL, stemming from misunderstandings about its nature. ITIL is, as the OGC states, a set of best practices. The OGC doesn't claim that ITIL's best practices describe pure processes. The OGC also doesn't claim that ITIL is a framework, designed as one coherent model. That is what most of its users make of it, probably because they have such a great need for such a model...

CIO Magazine columnist Dean Meyer has also presented some cautionary views of ITIL, including five pitfalls such as "becoming a slave to outdated definitions" and "Letting ITIL become religion." As he notes, "...it doesn't describe the complete range of processes needed to be world class. It's focused on ... managing ongoing services."

Van Herwaarden and Grift see the quality of the library's volumes as uneven. They note: “the consistency that characterized the service support processes … is largely missing in the service delivery books."

In a 2004 survey designed by Noel Bruton (author of "How to Manage the IT Helpdesk" and "Managing the IT Services Process"), organizations adopting ITIL were asked to relate their actual experiences in having implemented ITIL. Seventy-seven percent of survey respondents either agreed or strongly agreed that "ITIL does not have all the answers". ITIL exponents accept this, citing ITIL's stated intention to be non-prescriptive, expecting organizations to engage ITIL processes with existing process models. Bruton notes that the claim to non-prescriptiveness must be, at best, one of scale rather than absolute intention, for the very description of a certain set of processes is in itself a form of prescription.

While ITIL addresses in depth the various aspects of Service Management, it does not address enterprise architecture in such depth. Many of the shortcomings in the implementation of ITIL do not necessarily come about because of flaws in the design or implementation of the Service Management aspects of the business, but rather the wider architectural framework in which the business is situated. Because of its primary focus on Service Management, ITIL has limited utility in managing poorly designed enterprise architectures, or how to feed back into the design of the enterprise architecture.

Some researchers group ITIL with Lean, Six Sigma and Agile IT operations management. Applying Six Sigma techniques to ITIL brings the engineering approach to ITIL's framework. Applying Lean techniques promotes continuous improvement of the ITIL's best practices. However, ITIL itself is not a transformation method, nor does it offer one. Readers are required to find and associate such a method. Some vendors have also included the term Lean when discussing ITIL implementations, for example "Lean-ITIL". The initial consequences of an ITIL initiative tend to add cost with benefits promised as a future deliverable. ITIL does not provide usable methods "out of the box" to identify and target waste, or document the customer value stream as required by Lean, and measure customer satisfaction.

Back to top

ITIL alternatives

IT Service Management as a concept is related but not equivalent to ITIL which, in Version 2, contained a subsection specifically entitled IT Service Management (ITSM). (The five volumes of version 3 have no such demarcated subsection). The combination of the Service Support and Service Delivery volumes are generally equivalent to the scope of the ISO/IEC 20000 standard (previously BS 15000), "BS" meaning British Standard.

Outside of ITIL, other IT Service Management approaches and frameworks exist, including the Enterprise Computing Institute's library covering general issues of large scale IT management, including various Service Management subjects, and the Universal Service Management Body of Knowledge (USMBOK), developed to offer a description of a service management system and service provider organization that may be universally applied to IT organizations and non-IT alike.

COBIT is perceived as an audit framework but the supporting body of knowledge (such as COBIT's books Control Practices, IT Assurance Guide, IT Governance Implementation Guide, and User's Guide for Service Managers) has grown to offer a credible alternative to ITIL.

The British Educational Communications and Technology Agency (BECTA) has developed the Framework for ICT Technical Support (FITS), based on ITIL, but slimmed down for UK primary and secondary schools (which often have very small IT departments). Similarly, The Visible OPS Handbook: Implementing ITIL in 4 Practical and Auditable Steps (Full book summary) claims to be based on ITIL but to focus specifically on the biggest "bang for the buck" elements of ITIL.

Organizations that need to understand how ITIL processes link to a broader range of IT processes or need task level detail to guide their service management implementation can use the IBM Tivoli Unified Process (ITUP). Like MOF, ITUP is aligned with ITIL, but is presented as a complete, integrated process model.

Smaller organizations that cannot justify a full ITIL program and materials can gain insight into ITIL from a review of the Microsoft Operations Framework which is based on ITIL but defines a more limited implementation.

The enhanced Telecom Operations Map eTOM published by the TeleManagement Forum offers a framework aimed at telecommunications service providers. In a joined effort, tmforum and itSMF have developed an Application Note to eTOM (GB921 V, version 6.1 in 2005, a new releases is scheduled for summer 2008) that shows how the two frameworks can be mapped to each other. It addresses how eTom process elements and flows can be used to support the processes identified in ITIL.

One United States-based approach to the enterprise lifecycle is found in A Practical Guide to Federal Enterprise Architecture by the U.S. CIO Council. This is a companion text to Federal Enterprise Architecture Framework (or FEAF). The guide ties together the operational (present time) CPIC (Capital Planning and Investment Control) processes, the architecture processes (future planning), and other pieces of the lifecycle management processes into one cohesive package.

Back to top

Certification

Individuals

The certification scheme differs between ITIL v2 and ITIL v3 and bridge examinations let v2 certification owners transfer to the new program. ITIL v2 offers 3 certification levels: Foundation, Practitioner and Manager. These should be progressively discontinued in favour of the new ITIL v3 scheme. ITIL v3 certification levels are: Foundation, Intermediate, Expert and Master. The ITIL v3 certification scheme offers a modular approach; each qualification is assigned a credit value so that upon successful completion of the module, the candidate is rewarded with both a certification and a number of credits. A candidate willing to achieve the Expert level will have, among other requirements, to gain the required number of credits (22).

The ITIL Certification Management Board (ICMB) manages ITIL certification. The Board includes representatives from interested parties within the community around the world. Members of the Board include (though are not limited to) representatives from the UK Office of Government Commerce (OGC), APM Group (APMG), The Stationery Office (TSO), V3 Examination Panel, Examination Institutes (EIs) and the IT Service Management Forum International (itSMF) as the recognized user group.

Since the early 1990s, EXIN and ISEB have been setting up the ITIL based certification program, developing and providing ITIL exams at three different levels: Foundation, Practitioner and Manager. EXIN and BCS/ISEB (the British Computer Society) have from that time onwards been the only two examination providers in the world to develop formally acknowledged ITIL certifications, provide ITIL exams and accredit ITIL training providers worldwide. These rights were obtained from OGC, the British government institution and owner of the ITIL trademark. OGC signed over the management of the ITIL trademark and the accreditation of examination providers to APMG in 2006. Now, after signing a contract with EXIN and BCS/ISEB, APMG is accrediting them as official examination bodies, providing APMG’s ITIL exams and accrediting ITIL training providers.

On July 20, 2006, the OGC signed a contract with the APM Group to become its commercial partner for ITIL accreditation from January 1, 2007. APMG manage the ITIL Version 3 exams.

APMG maintains a voluntary register of ITIL Version 3-certified practitioners at their Successful Candidate Register. A voluntary registry of ITIL Version 2-certified practitioners is operated by the ITIL Certification Register.

Organizations

Organizations and management systems cannot claim certification as "ITIL-compliant". An organization that has implemented ITIL guidance in IT Service Management (ITSM), may however, be able to achieve compliance with and seek certification under ISO/IEC 20000. Note that there are some significant differences between ISO/IEC20000 and ITIL Version 3