3Agenda• Introduction to the Foundation Training material• Quality approach• Process areas: - IT and the Business - Designing for service - Control of IT services - Support of IT services• Management and Improvement of ITSM
4Welcome to the Basic Training Material• These slides contain the basic training material required to prepare students for the EXIN Foundation Examination in ITSM based on ISO/IEC 20000.• Slides may be used in a Foundation training and as a basis for an accredited training.• A good training will always require extra examples, elaborating subjects of special interest to the audience and a good time schedule, including break-out sessions.• The order in which the Foundation subjects are treated follow the order of the exam requirements: which is not necessarily the order in a good training course.
9QualityISO 9000: “Degree to which a set of inherent characteristics fulfills requirements”Philip B. Crosby: “Conformance to requirements”Noriaki Kano: “Products and services that meet or(and others) exceed customers expectations”Rolf Reinhardt: “Quality is no standard, it is a learning process”Peter Drucker: “Quality in a product or service is not what the supplier puts in. It is what the customer gets out and is willing to pay for”
10QualityJoseph M. Juran: “Fitness for use”Six Sigma: “Number of defects per million opportunities”American Society for a) “The characteristics of a product orQuality service that bear on its ability to satisfy stated or implied needs; b) A product or service free of deficiencies”W. Edwards Deming “the efficient production of the quality that the market expects”Gerald M. Weinberg “Value to some person”
11The eight principles of Quality Management• ISO/IEC 20000 is predicated on basic principles of Quality Management as defined in ISO 9000• The eight Principles of Quality Management (QM) are: - Customer focus - Leadership - Involvement of people - Process approach - System approach to management - Continual improvement - Factual approach to decision making - Mutually beneficial supplier relationships
12What is a Quality Management System?A quality management system (QMS):• A framework of: - policies; - processes; - procedures; - guidelines; - and associated resources.to achieve the objectives of the organization.
14Setting up a Quality Management System1. Identify Customer’s Requirements and Expectations2. Define and assign required resources to achieve the committed quality goals3. Launch of procedures to measure effectiveness and efficiency
15Quality Policy• Determining the general quality goals of an organization • Principles and rules on the way we do business related to the quality of products and services we provide to our customers• The Quality Policy recognizes that there is always the potential to increase effectiveness and efficiency (continual improvement)• The Quality Policy does not cover: • Legal Requirements • Customer specific requirements in quality (e.g. SLAs) • Requirements of ISO/IEC 20000
16What is a Service?Definition according to goal • A means of delivering value to Customers by facilitating Outcomes Customers want to achieve without the ownership of specific Costs and Risks (source: ITIL®)Definition according to composition • Target: View of all components and Management relevant aspects of a service (technology-oriented) • The technical composition of a Service mentions three elements: • The components information system • Support • Quality specifications
17Components of an IT ServiceComponent Consisting of Purpose Quality specifications *Information • People To manageSystem • Processes information • Availability • Technology • Capacity • Partners • Performance • SecuritySupport • Changes, To ensure • Scalability system performance restoration in according to the • Adjustability case of failure agreed requirements • Portability • Maintenance * Quality specifications of the information service to be specified and agreed upon
18Relationship between IT Services & Quality• A service is provided through the interaction of the provider with customers and users; quality of the service depends upon this interaction• Quality is a measure of the extent to which the service fulfills the requirements and expectations of the customer• Customer perception of quality is largely based on expectations: • Common language/terminology required to ensure effective dialogue • Expectations need to be clearly defined • Supplier should continually assess how service is being experienced and what the customer expects in the future • Providing constant quality is crucial to perception
19Service Quality «Quality of Service is a measure that indicates the overall effect of service performance that determines the degree of satisfaction of a user of the service. The measure is derived from the ability of the resources to provide different levels of services. The measure can be both quantitative and qualitative.»• Quality of service is a critical part of customer and end user satisfaction• Measure of the ability of a service to provide the intended value to a customer• Specific to the individual customer; quality metrics should be defined from the customer’s perspective• Customer perception of service quality may vary over time
21Exam RequirementsService & QualityThe importance of quality of IT servicesDescribe:• What quality is and why it is important• Quality management and the role of the Quality Management System• What an IT service is• The factors needed to deliver an IT service• The relationship between IT services and quality
25Process orientation in managementProcesses control and impact on …• Individuals’ behavior• Employment of technology• Usage of information/knowledge • Processes make results of activities predictable • Process Orientation as a Management Paradigm
26Motivation For Process Orientation• Availability is the most essential service parameter of enterprise services• Availability is determined by frequency and duration of service failure• About 80% of failures is a consequence of people and process issues• Duration of failures extensively depend on nontechnical factors! Need for Management of IT processes!
27Basic Relationships: IT Service Management• Business Processes are supported by IT Services• Deliver IT Services is the key task of an IT provider• Customers of the IT provider are basically organizations, that are involved in business processes• Users use IT Services to carry out day-to-day work• ITSM Frameworks describe Best Practices of IT Service Management
28Process-oriented IT Service ManagementOBJECTIVE:• Management of IT Services for fulfillment of business requirements
29Benefits of a process-oriented IT ServiceManagement• Effectiveness and efficiency of workflows will be increased• IT Management will be placed on a stable foundation by focusing on business objectives and customer orientation• Improved external communication, competitive advantage• Improved communication, learning from experience and Knowledge Management• Output more comprehensible and predictable• Less failures and resultant faults• Better Management of risks (reduced insurance rates, compliance requirements)
30Risks of a process-oriented IT ServiceManagement• Bureaucratic procedures, more paperwork• Lower effectiveness and efficiency, if • The staff is not aware of processes and measures and personnel do not accept the system • Senior Management pays lip-service to the system • Important work is done outside of the system and process is not complied with
32Role Of ToolsAutomated support aids in the performance oftasks / activities• Purpose: • automate management tasks • increase efficiency = cost reduction • provide evidence of the process activities performed• Examples: • Monitoring tools • Software distribution tools • Service Management / workflow tools • Remote infrastructure management tools «A fool with a tool is still a fool!»
33Exam RequirementsThe concept of IT Service ManagementDescribe:• the concept of IT Service management• the benefits and risks of IT Service management• the role of tools used within IT Service management
35Continual Improvement: Overview Continual Improvement Customer Maturity PDCA Satisfaction Model Quality Management Assessments System Review & Audit
36Continual Improvement• Necessary in order to improve the performance of the organization and increase customer satisfaction• Needs to be a permanent objective of the organization• Continual activity that keeps the wheel of the PDCA cycle turning• Ensures improvement activities at all levels are aligned to the organization’s strategy• Increases flexibility to act quickly on opportunities• Applying the principle leads to a company culture and organization-wide approach to continual improvement• Leads to more business in the mid-term by actively improving the relationship with customers
37 PDCA in Service ManagementQualityManagementSystem • Agreements with customer • Agreements in organization • Deliver • Evaluate
38Example of application of the PDCA CyclePLAN:Design or change a process withthe aim of improving resultsDO:Implement the change andmeasure the change in resultsCHECK:Compare the measurementswith the original performance toassess improvementsACT:Decide on the changes that areneeded to improve the process
39Capability Assessments• Compares the performance of a process against a performance standard, such as: • Agreements in an SLA • A maturity standard • A benchmark (comparison to average in the industry) • An ISO standard• Assessments will help in identifying «where are we now?» and the gap with «where do we want to be?»• Crucial to define clearly what is being assessed• Identifies conformances, non-conformances and observations
40Types of Capability Assessments• Evaluation of individual processes within the management system• Systematic review of the entire management system by top management• Comprehensive review via self-assessment, e.g. BIP 0015 Self-Assessment Guide Book as support aid• Official first, second or third party audits• Benchmark projects e.g. itSMF benchmark based on comprehensive process questionnaire
41Maturity models: example• Used as a benchmark during a capability assessment to establish: • the maturity level of processes • define improvement goals of processes • measure progressSee also: ISO 15504
42 Characteristics of Maturity Levels Level 5 Focus on process improvement Optimizing Level 4 Quantitatively Process measured and controlled Managed Level 3 Process characterized for the organization and is proactive Defined (projects tailor their projects from organizational standards) Level 2 Process characterized for projects and is often reactive ManagedLevel 1 Process unpredictable, poorly controlled and reactive Initial
43Exam Requirements:The principles of Continual ImprovementDescribe• the principles of Continual Improvement and the applications of the PDCA cycle• how maturity models work• the nature of capability assessments and the relationship with maturity models
46Best Practice“Best Practice asserts that there is a technique, method,process, activity, incentive or reward that is more effectiveat delivering a particular outcome than any othertechnique, method, process, etc.The idea is that with proper processes, checks, andtesting, a desired outcome can be delivered with fewerproblems and unforeseen complications.Best practices can also be defined as the most efficient(least amount of effort) and effective (best results) way ofaccomplishing a task, based on repeatable proceduresthat have proven themselves over time for large numbersof people.”
47ISO/IEC 20000• Process-Oriented Approach for IT Service Management• Based on: • Best Practices in IT Service Management (e.g. as per description in ITIL®) • Principles of Quality Management (e.g. as per description in ISO 9000)• Consists of several parts: 1. Requirements Structure of parts 1 and 2 (the standard’s 2. Guidance on Implementation core) is identical 3. Scoping 4. Process reference model Technical Reports 5. Exemplar implementation plan
48What Is: ISO/IEC 20000?• ISO/IEC 20000 is a worldwide standard for implementing an integrated process approach for the delivery of services• A set of minimum requirements to audit an organization against effective Service Management.• Owner: • ISO – International Organization for Standardization • IEC – International Electro Technical Commission • Developed by JTC 1 / SC 7 (Joint Technical Committee 1 / Subcommittee 7)
49Basic Principles & Concepts• Process • Process in general • Business Processes • IT Processes• Service• Process Management• Process Assessment• Quality / Quality Management
50Purpose of ISO/IEC 20000• Standard for good practice• Guidance for quality• Management system• Certification of organization “to provide a common reference standard for any enterprise offering IT services to internal or external customers”• Create a common terminology for service providers, their suppliers and their customers
51Benefits of ISO/IEC 20000• ISO/IEC 20000 is the first internationally recognized worldwide process based standard created specifically for the breadth of Service Management• ISO/IEC 20000 is independent of all frameworks, it is “framework neutral”• Both internal and external service providers are being challenged to prove they will be able to provide the required service quality and to that end have adequate service management processes in place
52Applicability & Scope of the StandardsWhat is the common advantage of ISO/IEC 20000?• ISO/IEC 20000 defines requirements for Service providers• ISO/IEC 20000 sets up a basis of standardized nomenclature for Service Management• ISO/IEC 20000 is applicable: • In a bid context • To secure consistency of a supply chain approach • As Service Management benchmarking • As Basis of an independent assessment • To prove capability to meet customer requirements • To improve Service
53Scope: Description ISO/IEC 20000What is the purpose of the core parts of ISO/IEC? Requirements for Service providers intending to offerISO/IEC 20000-1: managed Services with acceptable quality levels This is the formal specifications for the standard Additional guidelines for auditors and service providers This describes best practices in detail, and providesISO/IEC 20000-2: guidance and recommendations for the service management processes within the scope of the formal standard.Where is ISO/IEC 20000 not Product Evaluation of Tools, etcsuitable?
54Mapping the ISO 20000 standard to theService Lifecycle • Business Relationship Management • Service Level ManagementAlignment • Budgeting & Accountingof IT with the Business • Service Reporting • Supplier Management • Design, development and transition of New or Changed ServicesDelivery • Service Delivery processes:of IT Services Availability, Capacity, Service Continuity and Information Security ManagementControl • Change, Configuration, Release and deploymentof IT Services ManagementSupport • Incident & service request management andof IT Services Problem ManagementManagement & • Planning & Implementing Service ManagementImprovement • Managing the Service Management System
55 Related Standards and Frameworks ISO 9000ISO 15504 ISO 27000 ISO 20000 CMM ITIL® COBIT 6! CMMI MOF
56ISO 9000Owner ISOField of Industry and service providers /application / management, customersaudience International quality managementObjective standard, certified companiesPublication Standard (printout, PDF) / via ISOmedia / source ISO 9000 comprises a series of documentsMiscellaneous Best known: ISO 9001 - Quality management systems - Requirements ISO 9000 process approach
58ISO/IEC 27000Owner ISO/IECField of All types of organizations / management,application / customersaudience International information security standard,Objective certified companiesPublication Standard (printout, PDF) / via ISOmedia / source ISO 27000 comprises a series of documents Best known: ISO 27001 – Information security management systems –Miscellaneous Requirements ISO 27002 – Code of Practice ISO 27000 process approach, PDCA implemented
59Relation between ISO/IEC 27000 and ISO/IEC20000
60Six Sigma (6!)• Originally by Motorola, USA in 1986• Uses a set of quality management methods• Especially statistical methods • The maturity of a manufacturing process can be described by a sigma rating indicating its yield, or the percentage of defect-free products it creates• Creates a special infrastructure of people (experts) • Green / Black Belts
61ITIL® – The service lifecycle • Best Practice Guidance for IT Service Management • Owned by the Cabinet Office • Books by TSO • Certification by APMG
62ITIL® vs. ISO/IEC 20000• Definition of ITSM processes • Focused on the necessary • Objective processes • Activities • Focused on the essential • Inputs & Outputs activities within these • interfaces within processes• Recommendations for • A standard which takes process implementation certain state-of-the-art • requirements (e.g. staff methodologies/frameworks skills) into account • supporting concepts • A certifiable standard (if • required functions required) • risks• Evaluation hints • Critical success factors • Key performance indicators
63 MOF 4.0: Framework • Composition - manage layer - plan phase - deliver phase - operate phase • Owned by Microsoft • Operational guidance for users of Microsoft productsPrintable files (Word, PDF) / free from webwww.microsoft.com/mof
64Capability Maturity Model Integration (CMMI) Software Engineering Institute (SEI) ofOwner Carnegie Mellon UniversityField of Software and system developingapplication / organizations / management, customersaudienceObjective Measurement of Organizational MaturityPublication Printable files (Word, PDF) / free from webmedia / source www.sei.cmu.edu/cmmiMiscellaneous No ITSM standard, but maturity levels is a frequently used concept
65CMM / CMMI Maturity levels Process improvement is established Monitoring of quantitative quality goals Standard processes implemented & documented Basic process existing
66ISO/IEC 15504Owner ISO/IECField of Software and system developingapplication / organizations / management, customersaudience International standard of organizationalObjective maturity assessmentPublication Standard (printout, PDF) / via ISOmedia / source The standard results from the EuropeanMiscellaneous project SPICE Software Process Improvement and Capability dEtermination
67COBITCobiT – Control Objectives for Information and RelatedTechnology ISACA/ITGI (Information Systems Audit andOwner Control Association / IT Governance Institute)Field of IT service provider / management, customers, ITapplication / auditorsaudienceObjective IT Governance – «Control of IT»Publication Core documents free from ISACA websitemedia / www.isaca.org/cobit.htm – registration requiredsource
68COBIT: Framework • 34 processes, structured in four lifecycle domains • For each process: • High-Level Control Objective • Detailed Control Objectives • Management Guidelines • Maturity Model
69Company-specific standards• Tailor-made to a specific organization • Often based upon existing frameworks and models, e.g. MOF (aligned with ITIL®, CobiT and ISO/IEC 20000 designed to support Microsoft products)• Various standards and frameworks used by one organization need to be aligned to each other• Examples: • Security policies • Standards concerning IT architecture • Sustainability policies • In-company finance standard
70Exam Requirements:Standards & Best Practices• Identify the purpose and benefits of ISO/IEC 20000• Identify the purpose and application/audience of • CMMI, CobiT®, • ISO 9000, ISO15504, ISO27001, • ITIL®, MOF, Six Sigma• Describe the relation of ISO/IEC 20000 to company specific standards
Alignment of IT and the business• Overview• Introduction• Examples• Exam requirements
72 IT & the Business: Overview Service Customer Agreement Level Management Business Budgeting &Relationship Reporting AccountingManagement Supplier Supplier Management
73Relationship ProcessesAbout the process group• Relationship processes describe the two related aspects of Supplier Management and Business Relationship Management
74Alignment of IT and the business:Tasks & Scope• The relationship processes should ensure that all parties - Understand and meet business needs - Understand capabilities and constraints - Understand responsibilities and obligations• Supplier Management interfaces with Suppliers• Business Relationship Management interfaces with customers
76The processes for alignment of IT and thebusiness• Business relationship management• Service level management• Supplier management• Service reporting• Budgeting and accounting for services
77The processes for alignment of IT and thebusiness:Business Relationship Management• Objectives and quality requirements• Best practices
78Business Relationship ManagementObjective• To establish and maintain a good relationship between the service provider and the customer based on understanding the customer and their business drivers
79 Minimum Requirements 0000ISO/IEC 2 tion Specifica • The service provider shall identify and document the stakeholders and customers of the services. • A service review shall be conducted: • with the participation of provider and customer; other stakeholders may also be invited to the meetings; • to discuss any changes to the service scope, SLA, contract (if present) or the business needs; • at least annually; • and results shall be documented. • Changes to the contracts, if present, and SLA’s shall follow from these meetings as appropriate and shall be subject to the change management process.
80 0000 Minimum RequirementsISO/IEC 2 tion Specifica • The service provider shall remain aware of business needs and major changes in order to prepare to respond to these needs. • There shall be a complaints process: • The definition of a formal service complaint shall be agreed upon with the customer; • All formal service complaints shall be recorded and managed; • Where a complaint is not resolved, escalation shall be available to the customer. • There shall be a named individual who is responsible for managing customer satisfaction. • A process shall exist for obtaining customer satisfaction information (shall be input for Service Improvement Plan).
81Business relationship management: activities• Complaints management: • Define a formal service complaint with the customer • Record and manage all formal service complaints and finally close them • Make escalation possible to the customer when a complaint has not been solved• Customer satisfaction management: • Obtain satisfaction measurements • Compare performance with customer targets and previous surveys • Investigate and understand significant variations • Discuss results from satisfaction surveys with customer and agree on action plan • Record actions for improvement • Report on progress of service improvement to the customer
82Business Relation Management:interfaces• Continual service improvement: • Suggest improvement • Receive reports on progress• Change management process: • Submit requests for changes • Manage changes to contract(s) and SLA(s)• Service level management: • SLA and service level review• Service reporting: • Receive information• Budgeting and Accounting: • Budget and account for all components
83Fundamental TermsUser The employee who uses IT services The person who is authorized to conclude an agreement with the IT organization aboutCustomer the provision of IT services, and who is responsible for ensuring that IT services are paid for.
84The processes for alignment of IT and thebusiness:Service Level Management• Objectives and quality requirements• Best practices
85Service Level ManagementObjective• To define, agree, record and manage levels of serviceService Level Management provides for the continualidentification, monitoring and review of the levels of ITservices specified in the Service level agreements (SLAs).Service Level Management ensures that arrangements arein place with internal IT Support-Providers and externalsuppliers. These SLAs are sometimes calledOperational Level Agreements (OLAs) for internal groupsand Underpinning Contracts (UCs) for suppliers.
86Service Level Management & Quality• Provides a consistent interface to the business for all service-related issues• Provides the business with the agreed service targets to ensure that those targets have been met.• Provide feedback on the cause of the breach and details of the actions taken to prevent the breach from recurring• Provides a reliable communication channel and a trusted relationship with the appropriate customers and business representatives
87Service Level Management: activitiesService Level Management is the primary interfacewith the customer (as opposed to the user who isserviced by the Service Desk). Service LevelManagement is responsible for: - ensuring that the agreed IT services are delivered when and where they are supposed to be - liaising with Availability Management, Capacity Management, Incident Management and Problem Management to ensure that the required levels and quality of service are achieved within the resources agreed with Financial Management - producing and maintaining a Service Catalog (a list of standard IT service options and agreements made available to customers) - ensuring that appropriate IT Service Continuity plans exist to support the business and its continuity requirements.
88Service Level Manager• The Service Level Manager relies on the other areas of the Service Delivery process to provide the necessary support which ensures the agreed services are provided in a cost- effective, secure and efficient manner.
90Fundamental TermsService Level An Agreement between an IT Service ProviderAgreement and a Customer which describes the Service(SLA) and Service Level TargetsService Level Acceptable quality level of a services A structured document with information aboutService all provided servicesCatalogue (SLA may reference to)
92Possible SLA content (abstract):• Service description• Validity period• Authorization details• Service hours• Service targets• Escalation and notification process• Guidelines to define impact and priority• Workload limits• Etc.
93The processes for alignment of IT and thebusiness:Supplier Management• Objectives and quality requirements• Best practices
94Supplier ManagementObjective• To manage suppliers to ensure the provision of seamless, quality services
95Supplier Management & Quality• Provides value for money from suppliers and contracts• Ensures all targets in contracts and agreements are aligned to business needs and agreed SLA targets• Ensures the delivery to the business of end-to- end, Ensures seamless, quality IT services aligned to the business’s expectation• Ensures alignment with corporate requirements• Ensures alignment with requirements of all other IT and ITSM processes
96Supplier Management: activities• Implement and enforce the supplier policy• Maintain the Supplier and Contract Database (SCD)• Agreement and implementation of service and supplier improvement plans Supplier Contract • Categorization • Development • Risk assessment • Negotiation • Evaluation • Agreement • Selection • Review • Manage suppliers • Renewal • Manage supplier • Termination performance
97Fundamental TermsSupplier An organization responsible for supplying goods or Services that are required to deliver IT Services. Examples of suppliers include, internal IT, commodity hardware and software vendors, network and telecom providers, and outsourcing organizationsLead Supplier A supplier who obtains parts of delivered services from a third-partySubcontracted Supplier of a lead supplierSupplier
98Supplier Management:relations with other processesWork with• SLM to ensure alignment with SLAs and targets• Continuity Management to support BCM• Support processes for escalation paths and issues• Strategy processes regarding the supplier policy• CSI for involvement of suppliers in improvement plans• (May) represent suppliers at the CAB
99The processes for alignment of IT and thebusiness:Service Reporting• Objectives and quality requirements• Best practices
100Service ReportingObjective• To produce agreed, timely, reliable, accurate reports for informed decision making and effective communication• Requires technical, process and service metrics
101Service ReportingValidation To validate previous decisionsDirection To set direction for activities in order to meet set targetsJustification To justify, with factual evidence or proof, that a course of action is requiredIntervention To identify a point of intervention including subsequent changes and corrective actions
102Service Reporting:Minimum Requirements• There shall be a clear description of each service report including its identity, purpose, audience and details of the data source.• Service reports shall be produced to meet identified needs and customer requirements. Service reporting shall include: • performance against service level targets • non-compliance and issues (e.g. against the SLA, security breech) • workload characteristics (e.g. volume, resource utilization) • performance reporting following major events (e.g. major incidents and changes) • trend information • satisfaction analysis• Management decisions and corrective actions shall take into consideration the findings in the service reports and shall be communicated to relevant parties.
103Service Reporting: activitiesAgreement with the business and with IT on• What should be measured• What can be measured• What to report on• Definitions of all terms and boundaries• Basis of all calculations• Reporting schedules• Access to reports• Medium to be used• Meetings scheduled to review and discuss reports
104Service Reporting: activities• To meet needs and requirements of internal management and the customer• Service reporting gains information from all processes • Performance against service level targets • Non-compliance and issues • Workload characteristics • Performance reporting following major events • Trend information • Satisfaction analysis
105Service Reporting: termsReactive What has happenedreportsPro-active Advance warning of significantreports eventsForward Planned activitiesschedulereports
106Service Reporting: Example• Service reports are based on event statistics Classification of events: Notification – purely informative, for reporting purpose ! no action required Warning – A service or device is approaching a threshold ! notify the appropriate persons, process or tool Exception – currently operating abnormally, SLA breach ! Reaction required• Exceptions can cause incidents and/or requests for change.
107The processes for alignment of IT and thebusiness:Budgeting and accounting for services• Objectives and quality requirements• Best practices AKA: Financial Management for IT Services
108Budgeting & Accounting For ServicesObjective• Provides the business and IT with the quantification, in financial terms, of the value of IT Services, the value of the assets underlying the provisioning of those services, and the qualification of operational forecasting
109 ISO /IE Spe C 2000 cific 0Minimum Requirements atio n• There shall be clear policies and processes for: • budgeting, and accounting for all components including IT assets, shared resources, overheads, externally supplied service, people, insurance and licenses; • apportioning indirect costs and allocating direct costs to services; • effective financial control and authorization.• Costs shall be budgeted in sufficient detail to enable effective financial control and decision making.• Costs shall be monitored and reported as compared to the budget.• Review the financial forecasts and manage costs accordingly.• Changes to services shall include cost estimates and be approved through the change management process.
110Basic ActivitiesBudgeting Predicting demand behavior to forecast costs of service and to manage expendituresAccounting Identify actual costsCharging Requiring payment for IT services from customers Charging is not part of ISO/IEC 20000 requirements
111Cost Types & Cost Classifications• Cost types: depends on purpose of costs – examples: • Hardware • Labor • Capital • Operation • Etc.• Cost classifications • Direct and indirect costs • Fixed and variable costs
112ChargingPossible • Demand managementcharging • Cost reduction, identify inefficient areasmotivation of delivery • Stronger alignment of services and business requirementsCharging • Costsmodel • Cost-plus(examples) • Market price • Fixed price
113IT & the Business: Exam RequirementsThe processes for alignment of IT and the business• Business Relationship Management• Service Level Management• Supplier Management• Service Reporting• Budgeting and Accounting for services • Describe the objectives and quality requirements • Describe the best practices
Service Delivery processes• Overview• Introduction• Examples• Exam requirements
115Designing for Service: Overview Availability Service Capacity Continuity Security
116Designing for Service: IntroductionThe main purpose of the service deliveryprocesses is the design of new or changedservices for introduction into the liveenvironment.A holistic approach of service design is neededto ensure that all aspects are considered whenchanging or amending any of the individualelements of the service.
117The Processes of Service Delivery• Availability Management• Capacity Management• Information Security Management• Service Continuity Management
118Service Delivery processes:Availability Management• Objectives and quality requirements• Best practices
119Availability ManagementObjective• To ensure that agreed service availability commitments to customers can be met in all circumstances
120Availability Management & Quality• Ensures that the availability of systems and services matches the evolving agreed needs of the business• Ensures IT delivers the right levels of service availability required by the business to satisfy its business objectives and deliver the quality of service demanded by its customers• Ensure reliability, and resilience of IT services• Service availability is at the core of customer satisfaction and business success
121Availability Management: activitiesProactive activities Reactive activities• The planning, design and • The monitoring, improvement of measuring, analysis and availability management of all events, incidents and• Principally involved within problems involving design and planning roles unavailability • Principally involved within operational roles
122Process Activities «Within»Availability ManagementDefine • SLA requirements?availability • What is the maximum duration without orrequirements with constricted service acceptable for customers? • What is the maximum frequency of service failure acceptable for customers?Plan • Average Availabilityavailability • Serviceability • MaintainabilityMeasure availability
124Availability Management:relations with other processesBudgeting & Accounting The cost of service provision, the cost of resources and componentsChange Management Change Schedule, assess all changes for their impact on service availabilityRelease and Deployment Release policy, Release Schedule, ReleaseManagement typesConfiguration Management Relationships between the business, the services, the supporting services and the technologyService Level Management SLA targets, SLRs, SLAs, OLAs and contractsIncident & problem Unavailability and failure informationManagementInformation Security Confidentiality, integrity and availabilityManagement requirements
125Fundamental Terms Ability of a component or service to performAvailability its agreed function when requiredAvailability Document to define aspects of servicePlan availability in day-to-day operations
126Service Delivery processes:Capacity Management• Objectives and quality requirements• Best practices
127Capacity ManagementObjective• To ensure that the service provider has, at all times, sufficient capacity to meet the current and future agreed demands of the customer’s business needs
128Capacity Management & Quality• Ensures that IT resources are planned and scheduled to provide a consistent level of service that is matched to the current and future needs of the business, as agreed and documented within SLAs and OLAs.• Provides a Capacity Plan that outlines the IT resources and funding needed to support the business plan, together with a cost justification of that expenditure.
129Capacity Management: activities• Review current capacity & performance• Improve current service & component capacity• Assess, agree & document new requirements & capacity• Plan new capacity
130Capacity Management: relations with other processesBudgeting & Accounting The cost of service provision, the cost of resources and componentsChange Management Change Schedule, assess all changes for their impact on service capacity and performanceRelease and Deployment Release policy, Release Schedule, ReleaseManagement typesConfiguration Relationships between the business, theManagement services, the supporting services and the technologyService Level SLA targets, SLRs, SLAs, OLAs andManagement contractsIncident & problem Information regarding capacity andManagement performance issuesService Continuity Capacity and performance requirements during a crisis
131Fundamental TermsCapacity Plan • Current infrastructure performance • Future needs • Documentation of cost calculated options to achieve requirements and recommendations • Produced at least on an annual basisCapacity • Modeling, Application Sizingpredictions • Trend analysis • Customer and business related forecastDemand • Influence user behavior to an optimalManagement capacity usage
132Service Delivery processes:Information Security Management• Objectives and quality requirements• Best practices
133Information Security ManagementObjective• To manage information security effectively within all service activitiesSee also: ISO 27000
134Information Security Management & Quality• Ensures that an Information Security Policy is maintained and enforced that fulfills the needs of the Business Security Policy and the requirements of corporate governance• Raises awareness of the need for security within all IT services and assets throughout the organization• Manages all aspects of IT and information security within all areas of IT and Service Management activity• Provides assurance of business processes by enforcing appropriate security controls in all areas of IT• Manages IT risk in line with business and corporate risk management processes and guidelines
136Information Security Management:relations with other processesBudgeting & Accounting The cost of service provision, the cost of resources and componentsChange Management Change Schedule, assess all changes for their impact on securityRelease and Deployment Release policy, Release Schedule, ReleaseManagement typesConfiguration Relationships between the business, theManagement services, the supporting services and the technologyService Level SLA targets, SLRs, SLAs, OLAs andManagement contractsIncident & problem Information regarding threats and securityManagement issuesService Continuity Security requirements during a crisis Business Impact Analysis
137Fundamental TermsInformation • Information security is the result of asecurity system of policies and procedures • Designed to protect information and any equipment used in connection with its storage, transmission and processingCIA • Confidentiality • Authorized access • Integrity • Authorized changes • Availability • When needed
138Service Delivery processes:Service Continuity Management• Objectives and quality requirements• Best practices
139Service Continuity ManagementObjective• To ensure that agreed service continuity commitments to customers can be met in all circumstances
140Service Continuity Management & Quality• Provides an invaluable role in supporting the Business Continuity Planning process• Used to raise awareness of continuity and recovery requirements• Often used to justify and implement a Business Continuity Planning process and Business Continuity Plans• Ensures that the recovery arrangements for IT services are aligned to identified business impacts, risks and needs
141Service Continuity Management: activities• Policy setting• Define Scope• Initiate a project• Business Impact Analysis• Risk Assessment• Service Continuity Strategy• Develop Service Continuity Plans• Develop IT plans, recovery plans and procedures• Organization Planning• Testing strategy• Education, awareness and training• Review and audit• Testing• Change Management
142Process Activities «Within»Continuity Management• Plan Service Continuity• Preventive measures • Technical: Provide stand-by systems, emergency power supply, etc. • Organizational: reciprocal arrangements• Recovery options • Do Nothing • Manual work-around • Cold Standby, Warm Standby, Hot Standby• Documentation of recovery procedures and operational instructions• Regularly test and review of all plans
143Service Continuity Management:relations with other processesBudgeting & Accounting The cost of service provision, the cost of resources and componentsChange Management Change Schedule, assess all changes for their impact on service continuityRelease and Deployment Release policy, Release Schedule, ReleaseManagement typesConfiguration Relationships between the business, theManagement services, the supporting services and the technologyService Level SLA targets, SLRs, SLAs, OLAs andManagement contractsIncident & problem Information regarding threats to continuitymanagementInformation Security Security requirements during a crisismanagement Risk analysis, threats and vulnerabilities
144Fundamental TermsService Capability to continue serviceContinuity operations in exception casesService Document to manage risks ofContinuity exceptional events to continue orPlan recover IT services
145Common Activities:Availability & Continuity ManagementComponent • Analyze IT infrastructure dependenciesFailure Impact • Identification of Single Point of FailuresAnalysis (CFIA) (SPOF)Business • Analyze dependencies between servicesImpact Analysis and business processes(BIA) • Quantification of business impact of service failureRisk Analysis • Assets / Vulnerabilities / Threats
146Exam RequirementsService Delivery processesThe delivery processes and their relationships• Availability management• Capacity Management• Information Security Management• Service Continuity Management • Describe the objectives and quality requirements of the delivery processes • Describe the best practices of the delivery processes
Control of IT Services• Overview• Introduction• Examples• Exam requirements
148Control of IT services: Overview Service Configuration Database Release Change
149Control of IT services: IntroductionObjective• To manage configuration information and changes effectively
150The Processes of Control of IT Services• Change Management• Release & Deployment Management• Configuration Management
151Control of IT Services:Change Management• Objectives and quality requirements• Best practices
152Change ManagementObjective• To ensure all changes are assessed, approved, implemented and reviewed in a controlled manner.
154 Minimum Requirements 0000ISO/IEC 2 tion Specifica • Changes shall have a clearly defined and documented scope. • All requests for change shall be recorded and classified and assessed for their risk, impact and business benefit. • The process shall include the manner in which the change shall be reversed or remedied if unsuccessful. • All changes shall be reviewed after implementation (PIR). • There shall be policies and procedures to control the authorization and implementation of emergency changes.
155ISO/IEC 2 0000 Minimum Requirements tion Specifica • The scheduled implementation dates of changes shall be documented including details of all the changes (FSC). • Change records shall be analyzed regularly to detect increasing levels of changes, frequently recurring type and other trends.
156 Change Management: relationship with other processes• All relevant processes submit request for changes• Configuration management: configuration audits should be scheduled before and after major changes• Release management: control implementation of services, assess requests for change for their impact on release plans, update change records, manage emergency releases• Business relation processes: control changes to SLA’s and contracts• Service reporting: receive information• Budgeting and accounting: budget and account for all components, cost and approve changes to services• Service continuity and availability: asses the impact of changes on both• Information security management: maintain security risk assessments, assess the impact of changes on security controls, prevent that changes compromise the effective operation of controls
157Change Management: activitiesRecord All RFC Decide on RFC acceptance by defined formalReview & filter criteria Priority (impact, urgency)Classification Category (Risks) Release changes for development; budgetingAuthorize & plan and resource planningCoordination Of change development and change releasePIR Post implementation review
158Fundamental TermsRequest for Form to register all relevant details of a requiredChange – RFC change to a CI A Record containing the CI details of an authorizedChange Record ChangeChange Advisory A group of people that advises in the assessment,Board – CAB prioritization and scheduling of ChangesEmergency A subset of the Change Advisory Board put togetherChange Advisory on demand that plans and makes decisions aboutBoard – ECAB emergency ChangesForward Schedule Schedule of all planned changesof Change – FSC
159Control of IT Services:Release & Deployment Management• Objectives and quality requirements• Best practices
160Release & Deployment ManagementObjective• To distribute one or more changes in a release into the live environment including planning and documentation.
161 0000 Minimum RequirementsISO/IEC 2 tion Specifica • The release policy stating the frequency and type of releases shall be documented and agreed upon. • The service provider shall plan with the business the release of services, systems, software and hardware. Plans on how to roll out the release shall be agreed to by all relevant parties (e.g. customers, users and support staff). • The process shall include the manner in which the release shall be reversed or remedied if unsuccessful. • Plans shall record the release dates and deliverables and refer to related change requests, known errors and problems. • Requests for change shall be assessed for their impact on release plans.
162ISO/IEC 2 0000 Minimum Requirements tion Specifica • Release management process requires update and change procedures for configurations items. • To test releases before distribution requires a controlled test environment. • Release and distribution shall be designed and implemented so that the integrity of hardware and software is maintained at all times. • Success and failure of releases shall be measured. Measurements shall include incidents related to a release in the period following a release. Analysis shall provide input to a plan for improving the service.
163Process activities «LEADING»to a Release Readiness Review Release plan development, strategy andRelease planning guidelines on further steps Release package construction including allRelease building required tools and documents for release rollout Release test in a simulated productionAcceptance tests environmentRelease readiness Assessment of test results, Go/No-Goreview decision on releaseInformation toChange If not ready for releaseManagement
164Process Activities «AFTER»a Release Readiness ReviewRollout • Details of physical provisioning in productiveplanning environment • Verify environment is ready for release (e.g. capacity: storage, room in hardware racks tec.) • Concrete rollout times and time-frames for resource allocation • Communication and training • Separate plans for different locations optionallyRollout • Ensure that all resources included in rollout planPreparation are available • prerequisites for back-out plan are metRollout • Coordination, documentation and final provisioning of releases
165Release & Deployment Management:Basic Process Workflow
166Example Process RelationshipFrom Change To Release
167Fundamental Terms • A collection of new or changed CIsRelease required to be tested together and deployed to live-environmentDefinitive • Master copies of deployed softwareMedia (licensed third-party-software andLibrary proprietary)(DML) • Basis for packaging of releasesDefinitiveHardware • Physical storage location of approvedStore and registered hardware(DHS)
168Control of IT Services:Configuration Management• Objectives and quality requirements• Best practices
169Configuration ManagementObjective• To define and control the components of the service and infrastructure and maintain accurate configuration information
170 0000 Minimum RequirementsISO/IEC 2 tion Specifica • There shall be an integrated approach to change and configuration management planning ! Scope of CMDB = Scope of change management! • Configuration management shall have an interface to financial asset accounting processes. • There shall be a configuration management policy on what is defined as a configuration item and its constituent components. • The information to be recorded for each item shall be defined and shall include the relationships and documentation necessary for effective service management.
171 0000 Minimum RequirementsISO/IEC 2 tion Specifica • Configuration management shall provide the mechanisms for identifying, recording, controlling and tracking versions of CI’s. It shall be ensured that the process meets the business needs, risk of failure and service criticality. • Configuration management shall provide information to the change management process: • Supporting Change Management in risk and impact analysis of planned changes • Tracking of hardware/software changes
172ISO/IEC 2 0000 Minimum Requirements tion Specifica • A baseline of the appropriate configuration items shall be taken before a release to the live environment. • Master copies of digital CI’s (software, documents) shall be controlled in secure physical or electronic libraries (cp. release management: definitive software library) and referenced to the configuration records. • All configuration items shall be uniquely identifiable and recorded in a CMDB to which update access shall be strictly limited and controlled. • Audit procedures shall include process and CMDB.
173Configuration Management: activities • CMDB targets (e.g. Which processes have toPlanning be supported? How?) • Scope of CMDB • Define types of CIs, name conventions,Identification versioningRecording & • Record new CIsControl • Update existing CIsStatus • Record/update lifecycle status of each CIAccountingVerification • Mapping CMDB and reality
174Configuration Management:Basic Process Workflow
175Fundamental Terms Any IT infrastructure component or other elementConfiguration Item that is recorded and maintained by configuration(CI) management processConfiguration A database used to storeManagement – All relevant information of all CIsDatabase (CMDB) – Relationships with other CIs A piece of information about a CIAttribute (e.g. asset id, location) A snapshot of a group of CI’s taken at a specificBaseline point in time. A set of tools and databases that are used to manage configuration informationConfiguration – Includes one or more CMDBs ! FederatedManagement CMDBSystem (CMS) – Manages relationships with other CIs und related incidents, problems, known errors, changes etc.
176Control of IT services: Exam RequirementsThe control processes and their relationships• Change Management• Configuration Management• Release & Deployment Management • Describe the objectives and quality requirements • Describe the best practices
Support of IT Services• Overview• Introduction• Examples• Exam requirements
178Support of IT services: Overview Support Incident Service Desk Problem Service Release Change CMDB
179Support of IT services: IntroductionObjective• Restore services and minimize disruption of services.
180Support of IT Services: Processes andFunction• Incident & Service Request Management• Problem Management• Service Desk
181Support of IT services:Incident & Service Request Management• Overview• Introduction• Exam requirements
182Incident & Service Request ManagementObjective:• Resolve incidents as quickly as possible and minimize the adverse impact on business operations.
183 Minimum Requirements ISO/IEC 20000 tionSpecifica • All Incidents shall be recorded. • Procedures for detection, impact analysis, prioritization, classification, escalation, resolution and closure of incidents shall be defined. • Customers shall be kept informed of the process progress and alerted BEFORE SLA is breached or at risk of being breached. • All staff involved in incident management shall have access to relevant information such as: • Known errors • Problem resolutions • Configuration Management Database (CMDB) • Major Incidents shall be managed according to a process.
184Incident & Service Request Management:activitiesDetection & Description of symptoms, creation of ticketrecordingClassification If possible resolution through first level support& initial (Service Desk)support Incident prioritization and categorizationInvestigation Find a resolution to restore the service as& diagnosis quickly as possibleResolution & Initiation of required recovery measuresrecovery Resolution documentation, user confirmation,Closure close ticket
187Incident & service request management:relationships with other processes• Change management: submit requests for change• Release, configuration and problem management: exchange relevant information• Service reporting: receive information• Information security management: incident management covers security incidents• Continual improvement: suggest improvements, review of major incidents
188Fundamental Terms An unplanned interruption to aIncident service or reduction in the quality of an serviceService Request for documentationRequest User Request for Change Procedure of forwarding an incidentEscalation Functional Escalation Hierarchical Escalation
189Support of IT services:Problem Management• Overview• Introduction• Exam requirements
190Problem ManagementObjective• To avoid disruption by proactive and reactive analysis of the cause of potential incidents
191Process Activities:Within Reactive Problem ManagementProblem detection Problem logging Categorization Prioritization Investigation and Diagnosis Find out workarounds, if possible Create Known Error Record Submit request for change, if required Resolution Closure
192Sub-processes:Within Reactive Problem Management
193Problem management: relationships withother processes• Customer: information on impacted business areas• Continual improvement: suggest improvements• Change management: submit requests for changes• Budgeting and accounting: budget and account for all components• Information security: exchange management information on trends in information security incidents, security incidents should be investigated by Problem management• Incident & service request management: exchange relevant information
194Example Relationship:From Problem To Change
195Fundamental Terms A unknown cause of one or more Problem incidents Known Root cause of one or more incidents for Error that workarounds exists if applicable Reactive Problem Management Major Proactive Problem Management Activities
196 Minimum Requirements 0000ISO/IEC 2 tion Specifica • All identified problems shall be recorded. • Procedures shall be adopted to identify, minimize or avoid the impact of incidents and problems. They shall define the recording, classification, updating, escalation, resolution and closure of all problems. • Preventive action shall be taken to reduce potential problems. • Changes required in order to correct the underlying cause of problems shall be passed to the change management process.
197 Minimum Requirements 0000ISO/IEC 2 tion Specifica • Problem resolution shall be monitored, reviewed and reported on for effectiveness. • Problem management shall be responsible for ensuring up-to-date information on known errors and corrected problems is available to incident management. • Actions for improvement identified during this process shall be recorded and implemented.
198Trend Analysis Analysis of data of various sources to identifyDefinition time-related patternsExamples Ticket system: number of similar incidentsof sources Monitoring tools: resource utilization peaks Each Monday between 7.30-9.30pm noticeable accumulation of submitting network incidentsExamples ! Problem identification (reactive problemof time- management since incidents existing) - Every dayrelated between 2-5am marginally high utilization of anpatterns information system ! Problem identification (proactive problem management since incidents should be avoided)
199Support of IT services:Service Desk• Overview• Introduction• Exam requirements
200Service DeskObjectives• To ensure availability of the IT provider• Single Point of Contact (SPOC) for UsersTasks• To take over tasks of service support particularly (e.g. within Incident Management Process)• Communication to usersService Desk is a Core concept of IT Service Management,but it is not part of the ISO/IEC 20000 requirements
201Support of IT services: Exam RequirementsThe support processes and theirrelationships• Incident & Service Request Management• Problem Management• Service Desk • Describe the objectives and quality requirements • Describe the best practices
Management & Improvement• Management system for IT service management processes• Planning and improving service management
203Management & Improvement: Managementsystem for IT service managementprocesses• Overview• Introduction• Exam requirements
204Service Management system: Overview Continual Improvement Management System Assessment PDCA Planning Process Service
205Characteristics of a process-based approachA process: “A structured set of interrelated activities to accomplish a predefined objective”• Follows the activities needed to provide a Service through several departments.• Does not depend on the hierarchical structure of the organization.
206Benefits of a process-based approach• Enables to manage and control all activities needed to provide a Service• Makes relationships between processes visible• Makes check points between activities visible• Provides a common point of reference to maintain quality
207Process AssessmentCritical Success Factors• Meet all critical conditions to achieve success • What are the basic conditions of the process? • Does the process basically operate effectively? ! Qualitative consideration